Strict Default Ports for Decrypted Applications

Use application-default to safely enable applications on their most commonly-used ports. Application-default strictly enforces standard port usage even for those applications that use a different default port when they are encrypted.
Application-default gives you a way to safely enable applications on their most commonly-used ports. It allows you to write simple, application-based policy rules based on your business needs, while preventing attacks that attempt to bypass traditional port-based policies.
Now, because certain applications use a different default port when they are encrypted, application-default differentiates between cleartext and encrypted application traffic when SSL decryption is turned on. For the applications that require it, like web-browsing, application-default enforces the application on both the
standard port
—the port the cleartext application uses—and the
secure port
—the port the encrypted application uses.
In the case of web-browsing, for example, this means that application-default now strictly enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled web-browsing traffic only on port 443. Application-default for encrypted applications works by default and is supported for web-browsing, SMTP, FTP, LDAP, POP3 and IMAP traffic. For these applications, you can visit Applipedia or select
to view applications details, which include the secure port it uses when encrypted.
Application-default is a best practice for application-based security policies and SSL decryption:
  • If you’re decrypting SSL traffic, use application-default in your security policy rules. As the firewall decrypts SSL traffic, and identifies the tunneled applications as web-browsing, SMTP, FTP, POP3, LDAP, or IMAP, application-default specifies for it to enforce those applications on the secure port.
  • We recommend that you update security policy rules that control web-browsing. Security policy rules that are currently configured to enforce web-browsing traffic on service-http and service-https should be updated to instead allow web-browsing only on the
    ports (
    Service/URL Category

Related Documentation