Network Security
Policy Object: Services
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Policy Object: Services
Specify the source and destination ports and protocol that a service can use.
Where Can I Use This? | What Do I Need? |
---|---|
|
When you define security rules for specific applications, you can select one
or more services to limit the port numbers the applications can use. The default service
is any, which allows all TCP and UDP ports. The HTTP and HTTPS services are predefined,
but you can add additional service definitions. Services that are often assigned
together can be combined into Service Groups to simplify the creation of Security rules.
A service object allows you to specify the source and destination ports and protocols that a
service can use. You can also create a custom service on any TCP/UDP port of your choice
to restrict application usage to specific ports on your network. Additionally, you can
use service objects to specify service-based session timeouts—this means that you can
apply different timeouts to different user groups even when those groups are using the
same TCP or UDP service, or, if you’re migrating from a port-based Security policy with
custom applications to an application-based Security policy, you can easily maintain
your custom application timeouts.
After you have created your service objects, you can then group a collection of services to
create a Service Group that requires the same policy enforcement. Services that are
often assigned together can be combined into Service Groups to simplify the creation of
security rules.
Create a Custom Service
Create a Custom Service (Strata Cloud Manager)
Specify the source and destination ports and protocol that a service can use.
Follow these steps to create a custom service.
- Go to ManageConfigurationNGFW and Prisma AccessObjectsServiceServices.
- Add Service.
- Configure the settings in this table:Service SettingsDescriptionNameEnter the service name (up to 63 characters). This name appears in the services list when defining Security security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.DescriptionEnter a description for the service (up to 1,023 characters).ProtocolSelect the protocol used by the service (TCP or UDP).Destination PortEnter the destination port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The destination port is required.Source PortEnter the source port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The source port is optional.Session TimeoutDefine the session timeout for the service:
- Inherit from application (default)—No service-based timeouts are applied; the application timeout is applied.
- Override—Define a custom session timeout for the service. Continue to populate the TCP Timeout, TCP Half Closed, and TCP Wait Time fields.
The following settings display only if you choose to override application timeouts and create custom session timeouts for a service:TCP timeoutSet the maximum length of time in seconds that a TCP session can remain open after data transmission has started. When this time expires, the session closes.Range is 1 - 604800. The default value is 3600 seconds.TCP Half ClosedSet the maximum length of time in seconds that a session remains open when only one side of the connection has attempted to close the connection.This setting applies to:- The time period after the first FIN packet is received (indicates that one side of the connection is attempting to close the session) but before it receives the second FIN packet (indicates that the other side of the connection is closing the session).
- The time period before receiving an RST packet (indicating an attempt to reset the connection).
If the timer expires, the session closes.Range is 1 - 604800. The default value is 120 seconds.TCP Wait TimeSet the maximum length of time in seconds that a session remains open after receiving the second of the two FIN packets required to terminate a session, or after receiving an RST packet to reset a connection.When the timer expires, the session closes.The range is 1 - 600. The default value is 15 seconds. - Save your configuration.
- Select Push Config to save your configuration and deploy it to your network.
Create a Service Group
To simplify the creation of Security rules, you can combine
services that have the same security settings into Service Groups.
- Go to ManageConfigurationNGFW and Prisma AccessObjectsServiceService Groups.
- Add Service Group.
- Configure the settings in this table:Service Group SettingsDescriptionNameEnter the Service Group name (up to 63 characters). This name appears in the services list when defining Security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.ServiceClick Add to add services to the group. Select from the drop-down or click Service at the bottom of the drop-down and specify the settings.
- Save your configuration.
- Select Push Config to save your configuration and deploy it to your network.
Create a Custom Service (PAN-OS & Panorama)
Specify the source and destination ports and protocol that a service can use.
Follow these steps to create a custom service.
- Go to ObjectsServices.
- Add a service.
- Configure the settings in this table:Service SettingsDescriptionNameEnter the service name (up to 63 characters). This name appears in the services list when defining Security security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.DescriptionEnter a description for the service (up to 1,023 characters).SharedSelect this option if you want the service object to be available to:
- Every virtual system (vsys) on a multi-vsys. If you clear this selection, the service object will be available only to the Virtual System selected in the Objects tab.
- Every device group on Panorama. If you clear this selection, the service object will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)Select this option to prevent administrators from overriding the settings of this service object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.ProtocolSelect the protocol used by the service (TCP or UDP).Destination PortEnter the destination port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The destination port is required.Source PortEnter the source port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The source port is optional.Session TimeoutDefine the session timeout for the service:- Inherit from application (default)—No service-based timeouts are applied; the application timeout is applied.
- Override—Define a custom session timeout for the service. Continue to populate the TCP Timeout, TCP Half Closed, and TCP Wait Time fields.
The following settings display only if you choose to override application timeouts and create custom session timeouts for a service:TCP TimeoutSet the maximum length of time in seconds that a TCP session can remain open after data transmission has started. When this time expires, the session closes.Range is 1 - 604800. The default value is 3600 seconds.TCP Half ClosedSet the maximum length of time in seconds that a session remains open when only one side of the connection has attempted to close the connection.This setting applies to:- The time period after the first FIN packet is received (indicates that one side of the connection is attempting to close the session) but before it receives the second FIN packet (indicates that the other side of the connection is closing the session).
- The time period before receiving an RST packet (indicating an attempt to reset the connection).
If the timer expires, the session closes.Range is 1 - 604800. The default value is 120 seconds.TCP Wait TimeSet the maximum length of time in seconds that a session remains open after receiving the second of the two FIN packets required to terminate a session, or after receiving an RST packet to reset a connection.When the timer expires, the session closes.The range is 1 - 600. The default value is 15 seconds. - Select OK to save your configuration.
- Commit the configuration.
Create a Service Group
To simplify the creation of Security rules, you can combine
services that have the same security settings into Service Groups.
- Go to ManageConfigurationNGFW and Prisma AccessObjectsServiceService Groups.
- Add Service Group.
- Configure the settings in this table:Service Group SettingsDescriptionNameEnter the Service Group name (up to 63 characters). This name appears in the services list when defining Security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.SharedSelect this option if you want the Service Group to be available to:
- Every virtual system (vsys) on a multi-vsys. If you clear this selection, the Service Group will be available only to the Virtual System selected in the Objects tab.
- Every device group on Panorama. If you clear this selection, the Service Group will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)Select this option to prevent administrators from overriding the settings of this Service Group object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.ServiceClick Add to add services to the group. Select from the drop-down or click Service at the bottom of the drop-down and specify the settings. - Select OK to save your configuration.
- Commit the configuration.