Applications running on unusual ports can
indicate an attacker that is attempting to circumvent traditional port-based
protections. Application-default is a feature
of Palo Alto Networks firewalls that gives you an easy way to prevent
this type of evasion and safely enable applications on their most
commonly-used ports. Application-default is a best practice for
application-based security policies—it reduces administrative overhead,
and closes security gaps that port-based policy introduces:
Less overhead—Write
simple application-based security policy rules based on your business
needs, instead of researching and maintaining application-to-port
mappings. We’ve defined the default ports for all applications with an App-ID.
Stronger security—Enabling applications
to run only on their default ports is a security best practice. Application-default
helps you to make sure that critical applications are available
without compromising security if an application is behaving in an
unexpected way.
Additionally, the default ports an application
uses can sometimes depend on whether the application is encrypted
or cleartext. Port-based policy requires you to open all the default
ports an application might use to account for encryption. Open ports
introduce security gaps that an attacker can leverage to bypass
your security policy. However, application-default differentiates
between encrypted and clear-text application traffic. This means
that it can enforce the default port for an application, regardless
of whether it is encrypted or not.
For example, without application-default,
you would need to open ports 80 and 443 to enable web-browsing traffic—you’d
be allowing both cleartext and encrypted web-browsing traffic on
both ports. With application-default turned on, the firewall strictly
enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled
traffic only on port 443.
To see the ports that
an application uses by default, you can visit Applipedia or select ObjectsApplications.
Application details include the application’s standard
port—the port it most commonly uses when in cleartext.
For web-browsing, SMTP, FTP, LDAP, POP3, and IMAP details also include
the application’s secure port—the port the application
uses when encrypted.
Select PolicySecurity and
add or a modify a rule to enforce applications only on their default
port(s):
Using application-default as part of an
application-based security policy and with SSL decryption is a best
practice. Additionally, if you have existing security policy rules
that control web-browsing traffic with the Service set
to service-http and service-https, you should update those rules to
use application-default instead.