Safely Enable Applications on Default Ports

Applications running on unusual ports can indicate an attacker that is attempting to circumvent traditional port-based protections. Application-default is a feature of Palo Alto Networks firewalls that gives you an easy way to prevent this type of evasion and safely enable applications on their most commonly-used ports. Application-default is a best practice for application-based security policies—it reduces administrative overhead, and closes security gaps that port-based policy introduces:
  • Less overhead—Write simple application-based security policy rules based on your business needs, instead of researching and maintaining application-to-port mappings. We’ve defined the default ports for all applications with an App-ID.
  • Stronger security—Enabling applications to run only on their default ports is a security best practice. Application-default helps you to make sure that critical applications are available without compromising security if an application is behaving in an unexpected way.
    Additionally, the default ports an application uses can sometimes depend on whether the application is encrypted or cleartext. Port-based policy requires you to open all the default ports an application might use to account for encryption. Open ports introduce security gaps that an attacker can leverage to bypass your security policy. However, application-default differentiates between encrypted and clear-text application traffic. This means that it can enforce the default port for an application, regardless of whether it is encrypted or not.
    For example, without application-default, you would need to open ports 80 and 443 to enable web-browsing traffic—you’d be allowing both cleartext and encrypted web-browsing traffic on both ports. With application-default turned on, the firewall strictly enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled traffic only on port 443.
To see the ports that an application uses by default, you can visit Applipedia or select ObjectsApplications. Application details include the application’s standard port—the port it most commonly uses when in cleartext. For web-browsing, SMTP, FTP, LDAP, POP3, and IMAP details also include the application’s secure port—the port the application uses when encrypted.
app-id-secure-port.png
Select PolicySecurity and add or a modify a rule to enforce applications only on their default port(s):
app-default.png
Using application-default as part of an application-based security policy and with SSL decryption is a best practice. Additionally, if you have existing security policy rules that control web-browsing traffic with the Service set to service-http and service-https, you should update those rules to use application-default instead.

Related Documentation