Regarding setting service then of course if you limit lets say web-browsing down to TCP80 (where the TCP80 is put in servicecolumn) then it wont be able to detect web-browsing which is passing at TCP8080 or any other port for this particular rule (because that will be dropped if you use a classic whitelisting setup of rules meaning a bunch of allowrules which in the end have a deny+log). But I think it can be sane to manually specify which ports you wish to limit because even if the grand feature of PaloAlto is application detection it doesnt mean that it will always succeed in detecting such applications not to mention that "service-default" might change over time. Also if you set a huge range of ports (or "any" for that matter) - before an application can be identified the traffic must be let through (depending on what the payload is). A simple test is to send "a b c" as a HTTP-request to a webserver hidden behind a PAN and you will notice that PAN will let this packet through to the server, but as soon as the server replies the reply will be not let back to the client (because it is when PAN gets the reply from the server it knows that the requst was HTTP and not something that just use TCP80 which means that the flow will be denied once it figured out the flow is not about web-browsing and your rule only allows web-browsing). So in my case I recommend to first setup the rule in PAN as you would with a normal SPI-based firewall. And then choose appid for that rule then finally go to the service column and change specific ports into either manully defined range/ports or "service default" or "any" for very chatty procotols (for example many Microsoftbased is badly constructed from a network point of view). One of the points of using a NGFW is to improve the security by setting up rules not only on port but also application. If you set "any" as service you will in many cases lower the security at least for the first few packets.
... View more