Palo Alto Networks Knowledgebase: How Application-Default in the Rulebase Changes the Way Traffic is Matched

How Application-Default in the Rulebase Changes the Way Traffic is Matched

29336
Created On 02/07/19 23:57 PM - Last Updated 02/07/19 23:57 PM
Policy
Resolution

Overview

This document applies an example policy to describe how traffic is matched to a security policy, on the Palo Alto Networks firewall, depending on whether application-default is used or not.

Details

The following shows an example policy from the web UI (Policies > Security):

2014-01-16 11_39_41-PA-VM.png

The policies above are converted to following configuration on the firewall (part of the command output has been omitted):

> show running security-policy

r1 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service  ping/icmp/any/any;

        action allow;

}

r2 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service  ping/any/any/any;

        action allow;

}

r3 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service  web-browsing/tcp/any/80;

        action allow;

}

r4 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service  web-browsing/tcp/any/8888;

        action allow;

}

r5 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service  web-browsing/any/any/any;

        action allow;

}

r6 {

        from l3-trust;

        source any;

        to l3-untrust;

        destination any;

        application/service [ ssh/tcp/any/22 ping/icmp/any/any ];

        action allow;

}

"r7 deny" {

        from any;

        source any;

        to any;

        destination any;

        application/service  any/any/any/any;

        action deny;

}

The application/service fields in the output show: application/protocol/source port/destination port.

As seen above, the firewall converted the field "service" to specific values. The "application-default" service was converted to precisely defined protocols and ports. For example in rule "r6",  traffic which is either protcol icmp or tcp with dport 22 will be matched. Where service is left as any (as in the rule, "r2"), the firewall will accept any protocol and port.

Next, the following traffic is sent through the firewall:

echo request,

tcp syn to ports 80,1222,8888,9999

http request to ports 80,8888,9999,

ssh to ports 22,1222

As seen in the log entries below:

  • icmp-echo matched "r1"
  • tcp syn all matched "r2". Since the firewall only saw the TCP-SYN and this rule allows any port at that moment in time, it matched the rule. As there was no other traffic in the connection, it timed out and the firewall logged the application as "incomplete" with rule "r2" as the one which permitted the traffic.
  • http requests matched: port 80 - "r3": application-default for web-browsing is indeed tcp/80. Port 8888 does not match "r3" but it matches "r4". Port 9999 does not match "r2" and "r3" but it does match "r5", as it allows web-browsing on any port.
  • ssh to port 22 matches "r6". However, ssh to port 1222 did not match "r6" since it only allows the default port tcp/22. Instead, that traffic hit the deny rule, "r7".

2014-01-16 11_40_40-PA-VM.png

See Also

Incomplete, Insufficient data and Not-applicable in the application field

Security Policy Guidelines

owner: rweglarz



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language