Applications running on unusual ports can
indicate an attacker that is attempting to circumvent traditional
port-based protections. Application-default is
a feature of Palo Alto Networks firewalls that gives you an easy
way to prevent this type of evasion and safely enable applications
on their most commonly-used ports. Application-default is a best
practice for application-based security policies—it reduces administrative
overhead, and closes security gaps that port-based policy introduces:
Less overhead—Write
simple application-based security policy rules based on your business
needs, instead of researching and maintaining application-to-port
mappings. We’ve defined the default ports for all applications with an App-ID.
Stronger security—Enabling applications
to run only on their default ports is a security best practice.
Application-default helps you to make sure that critical applications
are available without compromising security if an application is
behaving in an unexpected way.
Additionally, the default ports
an application uses can sometimes depend on whether the application
is encrypted or cleartext. Port-based policy requires you to open
all the default ports an application might use to account for encryption.
Open ports introduce security gaps that an attacker can leverage
to bypass your security policy. However, application-default differentiates
between encrypted and clear-text application traffic. This means
that it can enforce the default port for an application, regardless
of whether it is encrypted or not.
For example, without application-default,
you would need to open ports 80 and 443 to enable web-browsing traffic—you’d
be allowing both cleartext and encrypted web-browsing traffic on
both ports. With application-default turned on, the firewall strictly
enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled
traffic only on port 443.
To see the ports that
an application uses by default, you can visit Applipedia or select ObjectsApplications.
Application details include the application’s standard
port—the port it most commonly uses when in cleartext.
For web-browsing, SMTP, FTP, LDAP, POP3, and IMAP details also include the
application’s secure port—the port the application
uses when encrypted.
Select PolicySecurity and
add or a modify a rule to enforce applications only on their default
port(s):
Using application-default as part of an
application-based security policy and with SSL decryption is a best
practice. Additionally, if you have existing security policy rules
that control web-browsing traffic with the Service set
to service-http and service-https, you should update those rules
to use application-default instead.