My www server is in DMZ, I have strict security policy that allow:
I have application -default as a service.
Is it enought for indexing services like Google and any other?
Looks like there is a server installed in dmz and you would like to know what apps or services should be allowed.
1 Based on what services the server offers accordingly the services and apps have to be configured to have access for the services from the server.
2 You can initially have apps "any" and services "any" if you want to know what kind of traffic is being requested. By this we can know what services and apps are being identified to be opened up appropriately.
3 Also with the existing setup you have certain apps and its default ports opened up. If you are seeing any drops in the traffic logs trying to reach the server then if that connections are legit then you know what more has to be opened up.
If we go to applipedia or the applications page on the firewall there are a lot of applications pertaining to google and it is best to search here to add the required apps to allow the required traffic.
Think there is no similar config for google and other, demand what you put in other, depend content on your server, depend on many things.
Best thing should be to change your policy with app any, service http, audit the flow for couple of minutes and based on logs, create an accurate policy.
Never use apps alone for inbound connections to your DMZ Server, always use service ports for that. If you use apps only you will open a big hole in your firewall.
Maybe I misunderstood your question and your talking outbound from your DMZ Server.
Could You explain me why I should use service ports insted of aplications. For me it's strange, ie: on port 80 we have more than 2000 aplications.
I'm using aplication because I prefer to protect my servers (by thread prevention) also PAN check traffic for inproper transmission.
Do I'm wrong?
As you sugested I changed settings in policy, now it's any/any as an aplication and services. Report made from yesterdays logs says:
As You can see there is a lot of unwanted aplications, I'd like to let them working:
Rest of applications are unwanted for me.
How I should reconfigure my security policy?
Should I put this applicatios into apps and create my own services:
web-browsing (tcp/80, tcp/443)
webdav (tcp/443, tcp/80)
ftp (tcp/21, what about data stream?)
and put them into services?
Help me please to properly configure my device
I have another question for You - related to this problem. In dayly report I got:
Why they are blocked? I'm not using URL filtering in this security policy.
How to troubleshoot it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!