There are a few application groups that I am almost always using at the customer’s site. These are groups for Microsoft Active Directory, file transfer, and print. Furthermore, I am using a group for all of the Palo Alto Networks management applications itself, a general management group, and two different groups for VPNs (GlobalProtect and site-to-site). Finally, I tested a group for the AVAYA VoIP systems.
Following are the set commands for these groups so that anyone can easily configure them through the CLI.
Some Notes
- These groups are used with PAN-OS 6.0.5 and Apps & Threats version 464-2415. Of course, there should be no problem to use them in later versions.
- I know that they are big in size. They could be smaller for certain applications, such as print or file transfer, if only one kind ot these apps is needed. However, since I use them merely for traffic through internal networks, I am not that much afraid about a rule that allows one or two applications too much.
- I am using the PA-Management group for traffic generated by the management interface of the PA with a direction to internal networks and the Internet.
- The General-Management can be used for many admin accesses.
- The VPN-S2S group is used for site-to-site VPNs. Some of these IPsec tunnels to Cisco devices are recognized as “ciscovpn”. And since “ciscovpn” requires “ssl” and “dtls” to commit without any application-dependency-warnings, they are included in that group, too, though not needed.
Application Groups
To load these application groups into a Palo Alto firewall, enter the configure
mode and paste the following lines into it:
set application-group g_ActiveDirectory [ active-directory dns kerberos ldap ms-ds-smb ms-netlogon ms-wmi msrpc netbios-dg netbios-ns netbios-ss ntp ] set application-group g_FileTransfer [ ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_Print [ snmp zpl hp-jetdirect lpd ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_AVAYA [ avaya-phone-ping dns h.225 h.323 icmp ldap ping rsvp rtcp rtp snmp snmp-trap ssl t.120 traceroute wccp ] set application-group g_PA-Management [ paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud panorama ssl dns ntp brightcloud smtp ] set application-group g_General-Management [ web-browsing ssl ssh citrix vmware ms-rdp ftp tftp snmp ] set application-group g_VPN-GlobalProtect [ ike ipsec ssl panos-global-protect panos-web-interface ] set application-group g_VPN-S2S [ ike ipsec ciscovpn ssl dtls ]
If a mutli vsys environment is used, the set commands must include the “shared” keyword at the beginning:
set shared application-group g_ActiveDirectory [ active-directory dns kerberos ldap ms-ds-smb ms-netlogon ms-wmi msrpc netbios-dg netbios-ns netbios-ss ntp ] set shared application-group g_FileTransfer [ ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set shared application-group g_Print [ snmp zpl hp-jetdirect lpd ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set shared application-group g_AVAYA [ avaya-phone-ping dns h.225 h.323 icmp ldap ping rsvp rtcp rtp snmp snmp-trap ssl t.120 traceroute wccp ] set shared application-group g_PA-Management [ paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud panorama ssl dns ntp brightcloud smtp ] set shared application-group g_General-Management [ web-browsing ssl ssh citrix vmware ms-rdp ftp tftp snmp ] set shared application-group g_VPN-GlobalProtect [ ike ipsec ssl panos-global-protect panos-web-interface ] set shared application-group g_VPN-S2S [ ike ipsec ciscovpn ssl dtls ]
That’s it. Did I miss something? If so, send me a comment. Thanks. 