I have attached a PDF that shows screenshots of the same rule, in four different variations. I am trying to understand the relationships between using applications and traditional ports. I have a server that has a static public IP NATed to the private internal IP. I need telnet, FTP and web browsing allowed on it. I originally setup the rule to be like # 3. Using the default PA provided service group of service-http that does 80 and 8080 and applications FTP and Telnet. None of the three services worked under this configuration. I modified the rule to look like # 1 and all three services worked. So I played with it more to see about how the relationships work between applications and services and came up with two additional variations. # 2 and # 4. # 2 works like # 1, all three applications work. # 4, FTP and Telnet do not work, but the website does. So my question to you all is what is this relationship doing? Why does # 3 not allow any of the three services to work, yet # 4 allows the website to work but not ftp and telnet? Can I mix and match applications and services in the same rule or do I need to break them apart? This simple example is not a big deal but I have some servers that use known applications like FTP and MSSQL that I would like to switch over to use pure applications for them in the rule but they also have some proprietary ports that are unique to them that I will need to keep listed as services. So before I start mucking with them I'd like to have a better understanding of how this is supposed to be working. Thanks for any advice and guidance.
... View more