Service field under Policies > Security and is just destination port number.
If you want to filter traffic in Monitor > Traffic then just use filer.
For example filter below will show traffic towards port 443
( port.dst eq 443 )
If you create policy to allow tcp/80 then this will allow any application that is capable of running over port 80 (even Skype).
If you allow application web-browsing and service application-default then web-browsing can run only on default port.
Now if you need to access website that runs on some random port then you need to create policy where application is web-browsing and service is destination port you need.
Good example is if you decrypt SSL.
In this case first you need to permit SSL on default port that is 443.
Now if Palo removes decryption then inside SSL there is web-browsing.
But on what port it runs on? 443
So you need dedicated rule to allow web-browsing on tcp/443 as 443 is not in default list of web-browsing application.
So service is just port number.
Application is Layer 7 application identified by the firewall.
Under the applications tab under objects every application will list the 'standard' ports that the application will utilize. In the case of web-browsing then yes the only port allowed is tcp/80; SSL only lists tcp/443; SMTP will list tcp/25,587.
The application and port/service settings are not really 'interchangable', yes SMTP will function fine if I open tcp-25 but then anything else could also potentially use tcp-25.
A better example would be something like a large SQLenvironment where I have a large amount of non-standard ports open for the different database connections; in this case I will specify the application as mssql-db/mon depending on the connection and then specify a custom service for something like tcp-64280 or tcp-63180. Obviously I don't want every single application that could use these ports to actually be allowed, so as long as I have mssql specified I can rest realatively easy knowing that only the sql connections will actually be allowed. If you simply allow the service and specify 'application any' then you are missing the vast majority of the advantages that come with a Palo Alto firwall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!