Objects > Services
When you define security policies for specific applications, you can select one or more services to limit the port numbers the applications can use. The default service is any, which allows all TCP and UDP ports. The HTTP and HTTPS services are predefined, but you can add additional service definitions. Services that are often assigned together can be combined into service groups to simplify the creation of security policies (refer to Objects>ServiceGroups).
Additionally, you can use service objects to specify service-based session timeouts—this means that you can apply different timeouts to different user groups even when those groups are using the same TCP or UDP service, or, if you’re migrating from an port-based security policy with custom applications to an application-based security policy, you can easily maintain your custom application timeouts.
The following table describes the service settings:
Enter the service name (up to 63 characters). This name appears in the services list when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Enter a description for the service (up to 255 characters).
Select this option if you want the service object to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this service object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Select the protocol used by the service (TCP, UDP, or SCTP).
You can specify SCTP if you have enabled SCTP (DeviceSetupManagement). SCTP runs on PA-5200 Series and VM-Series firewalls only.
Enter the destination port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The destination port is required.
Enter the source port number (0 to 65535) or range of port numbers (port1-port2) used by the service. Multiple ports or ranges must be separated by commas. The source port is optional.
Define the session timeout for the service:
The following settings display only if you choose to override application timeouts and create custom session timeouts for a service:
Set the maximum length of time in seconds that a TCP session can remain open after data transmission has started. When this time expires, the session closes.
Range is 1 - 604800. Default value is 3600 seconds.
TCP Half Closed
Set the maximum length of time in seconds that a session remains open when only one side of the connection has attempted to close the connection.
This setting applies to:
If the timer expires, the session closes.
Range is 1 - 604800. Default value is 120 seconds.
TCP Wait Time
Set the maximum length of time in seconds that a session remains open after receiving the second of the two FIN packets required to terminate a session, or after receiving an RST packet to reset a connection.
When the timer expires, the session closes.
Range is 1 - 600. Default value is 15 seconds.
Maintain Custom Timeouts for Legacy Applications
Maintain Custom Timeouts for Data Center Applications Easily maintain custom timeouts for applications as you move from a port-based policy to an application-based policy. Use ...
Session Timeouts Some session timeouts define the duration for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when ...
Configure Session Timeouts
Configure Session Timeouts A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. ...
Service-Based Session Timeouts
Service-Based Session Timeouts You can now more easily maintain custom timeouts for applications as you move from a port-based policy to an application-based policy. Previously, ...
Defining Applications Select Objects Applications to Add a new custom application for the firewall to evaluate when applying policies. New Application Settings Description Configuration Tab ...
An SCTP client initiates an association; either endpoint can end the association. Session timeouts control when the firewall ends an association. ...
Applications Overview The Applications page lists various attributes of each application definition, such as the application’s relative security risk (1 to 5). The risk value ...
Configure SCTP Security
SCTP security features allow you to inspect and filter SCTP packets. Allocate SCTP log storage so the firewall can store SCTP log information. ...
How to Segment Data Center Applications
Prevent malware from moving between applications, between application tiers, and between server tiers. ...