www server in DMZ - what aplication should me allowed?

Reply
Highlighted
L4 Transporter

www server in DMZ - what aplication should me allowed?

Hi

My www server is in DMZ, I have strict security policy that allow:

- web-browsing

- web-crawler

- ssl

- rss

- flash

I have application -default as a service.

Is it enought for indexing services like Google and any other?

Regards

SLawek

Tags (1)
L4 Transporter

Hello slv,

Looks like there is a server installed in dmz and you would like to know what apps or services should be allowed.

1 Based on what services the server offers accordingly the services and apps have to be configured to have access for the services from the server.

2 You can initially have apps "any" and services "any" if you want to know what kind of traffic is being requested. By this we can know what services and apps are being identified to be opened up appropriately.

3 Also with the existing setup you have certain apps and its default ports opened up. If you are seeing any drops in the traffic logs trying to reach the server then if that connections are legit then you know what more has to be opened up.

If we go to applipedia or the applications page on the firewall there are a lot of applications pertaining to google and it is best to search here to add the required apps to allow the required traffic.

Thanks

Highlighted
L4 Transporter

Hi

That all I know, I expected answer from real configuration and community users experience.

Could someone share it?

With regards

Slawek

Highlighted
L5 Sessionator

Hi,

Think there is no similar config for google and other, demand what you put in other, depend content on your server, depend on many things.

Best thing should be to change your policy with app any, service http, audit the flow for couple of minutes and based on logs, create an accurate policy.

Hope help

V.

Highlighted
L4 Transporter

Never use apps alone for inbound connections to your DMZ Server, always use service ports for that. If you use apps only you will open a big hole in your firewall.

Maybe I misunderstood your question and your talking outbound from your DMZ Server.

Highlighted
L4 Transporter

Hi Gafrol

Could You explain me why I should use service ports insted of aplications. For me it's strange, ie: on port 80 we have more than 2000 aplications.

I'm using aplication because I prefer to protect my servers (by thread prevention) also PAN check traffic for inproper transmission.

Do I'm wrong?

Regards

Slawek

Highlighted
L4 Transporter
Highlighted
L4 Transporter

Hi

As you sugested I changed settings in policy, now it's any/any as an aplication and services. Report made from yesterdays logs says:

2014-03-27_104606.png

As You can see there is a lot of unwanted aplications, I'd like to let them working:

- web-browsing

- flash

- ssl

- web-crawler

- ssh

- ftp

- ping

Rest of applications are unwanted for me.

How I should reconfigure my security policy?

Should I put this applicatios into apps and create my own services:

web-browsing (tcp/80, tcp/443)

webdav (tcp/443, tcp/80)

ssh (tcp/22)

ftp (tcp/21, what about data stream?)

ping (icmp)

and put them into services?

Help me please to properly configure my device

With Regards

Slawek

Highlighted
L4 Transporter

I have another question for You - related to this problem. In dayly report I got:

2014-03-27_111918.png

Why they are blocked? I'm not using URL filtering in this security policy.

How to troubleshoot it?

Regards

Slawek

Highlighted
L4 Transporter

In the service column of the rule instead of using service "any" change it to "application-default". That should help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!