How to use APP-ID with service on non-standard ports
11220
Created On 11/08/22 10:27 AM - Last Modified 11/10/23 03:55 AM
Objective
To Use APP-ID on a non-standard(custom) port.
Environment
- Palo Alto Firewalls
- PAN-OS 9.1 and above
- APP-IDs
Procedure
- Identify what are the standard ports by searching the application on Applipedia
- Create a separate rule for each application that needs to run on a non-standard port
- Fill in the fields General, Source and Destination as per your needs
- In the 'Application' tab select the application you need
- In the 'Service' tab select/create the service needed
- The following policy in place that should allow SSH traffic
- GUI: Policies > Security
- This traffic is denied (GUI: Monitor > Logs > Traffic) as the SSH traffic is being received on Port 222 (non standard port)
- Create a new service object with TCP port 222 (example TCP_222)
- Modify the Policy to add the new service 'TCP_222'
- The SSH traffic using port 222 is now allowed (GUI: Monitor > Logs > Traffic)
Additional Information
Considerations:
- Modifying the existing rule policy will only allow the traffic on the added port (In this example SSH is now blocked on port 22 and allowed only on 222).
- To allow both standard and non standard ports, create new policies for allowing the apps on non-standard ports.