Next-Generation Firewall
Safely Enable Applications on Default Ports
Table of Contents
Safely Enable Applications on Default Ports
The 'application-default' function prevents security evasion by only allowing
applications to run on their standard ports.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
This is a core Network Security feature for NGFWs and Prisma
Access; no prerequisites needed.
|
Applications running on unusual ports can
indicate an attacker that is attempting to circumvent traditional port-based
protections. Application-default is a feature
of Palo Alto Networks firewalls that gives you an easy way to prevent
this type of evasion and safely enable applications on their most
commonly-used ports. Application-default is a best practice for
application-based security policies—it reduces administrative overhead,
and closes security gaps that port-based policy introduces:
- Less overhead—Write simple application-based security policy rules based on your business needs, instead of researching and maintaining application-to-port mappings. We’ve defined the default ports for all applications with an App-ID.
- Stronger security—Enabling applications to run only on their default ports is a security best practice. Application-default helps you to make sure that critical applications are available without compromising security if an application is behaving in an unexpected way.Additionally, the default ports an application uses can sometimes depend on whether the application is encrypted or cleartext. Port-based policy requires you to open all the default ports an application might use to account for encryption. Open ports introduce security gaps that an attacker can leverage to bypass your security policy. However, application-default differentiates between encrypted and clear-text application traffic. This means that it can enforce the default port for an application, regardless of whether it is encrypted or not.For example, without application-default, you would need to open ports 80 and 443 to enable web-browsing traffic—you’d be allowing both cleartext and encrypted web-browsing traffic on both ports. With application-default turned on, the firewall strictly enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled traffic only on port 443.
To see the ports that
an application uses by default, you can visit Applipedia or select .
Application details include the application’s standard
port—the port it most commonly uses when in cleartext.
For web-browsing, SMTP, FTP, LDAP, POP3, and IMAP details also include
the application’s secure port—the port the application
uses when encrypted.
Select and
add or a modify a rule to enforce applications only on their default
port(s):
Using application-default as part of an
application-based security policy and with SSL decryption is a best
practice. Additionally, if you have existing security policy rules
that control web-browsing traffic with the Service set
to service-http and service-https, you should update those rules to
use application-default instead.