What is the behavior of application-default with SSL Decryption?
28590
Created On 01/18/19 22:52 PM - Last Modified 03/05/25 10:18 AM
Question
Example given below for the application web-browsing before and after PAN-OS 9.0 release
Before PAN-OS 9.0
After PAN-OS 9.0
Environment
- NGFW
- PANOS 9.0 and above
- SSL Decryption
Answer
Before 9.0, a custom service object had to be created to match the decrypted traffic.
Starting in 9.0, additional field has been added called secure ports as indicated above. The application-default logic has been enhanced such that security policies with application-default configured will match against the decrypted traffic.
Example below, demonstrates the behavior when selecting the Application as web-browsing and the Service to application-default. Web-browsing will be allowed over both its standard and secure port. The security policy will allow web-browsing over both port 80 and 443.
Additional Information
Feature enhancement also applies to the following applications:
- web-browsing
- ldap
- smtp
- pop3
- Imap
- ftp
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html