There are a few application groups that I am almost always using at the customer’s site. These are groups for Microsoft Active Directory, file transfer, and print. Furthermore, I am using a group for all of the Palo Alto Networks management applications itself, a general management group, and two different groups for VPNs (GlobalProtect and site-to-site). Finally, I tested a group for the AVAYA VoIP systems.
Following are the set commands for these groups so that anyone can easily configure them through the CLI.
Some Notes
- These groups are used with PAN-OS 6.0.5 and Apps & Threats version 464-2415. Of course, there should be no problem using them in later versions.
- I know that they are big in size. They could be smaller for certain applications, such as print or file transfer if only one kind ot these apps is needed. However, since I use them merely for traffic through internal networks, I am not that much afraid of a rule that allows one or two applications too much.
- I am using the PA-Management group for traffic generated by the management interface of the PA with a direction to internal networks and the Internet.
- The General-Management can be used for many admin accesses.
- The VPN-S2S group is used for site-to-site VPNs. Some of these IPsec tunnels to Cisco devices are recognized as “ciscovpn”. And since “ciscovpn” requires “ssl” and “dtls” to commit without any application-dependency-warnings, they are included in that group, too, though not needed.
Application Groups
To load these application groups into a Palo Alto firewall, enter the configure mode and paste the following lines into it:
1 2 3 4 5 6 7 8 |
set application-group g_ActiveDirectory [ active-directory dns kerberos ldap ms-ds-smb ms-netlogon ms-wmi msrpc netbios-dg netbios-ns netbios-ss ntp ] set application-group g_FileTransfer [ ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_Print [ snmp zpl hp-jetdirect lpd ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_AVAYA [ avaya-phone-ping dns h.225 h.323 icmp ldap ping rsvp rtcp rtp snmp snmp-trap ssl t.120 traceroute wccp ] set application-group g_PA-Management [ paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud panorama ssl dns ntp brightcloud smtp ] set application-group g_General-Management [ web-browsing ssl ssh citrix vmware ms-rdp ftp tftp snmp ] set application-group g_VPN-GlobalProtect [ ike ipsec ssl panos-global-protect panos-web-interface ] set application-group g_VPN-S2S [ ike ipsec ciscovpn ssl dtls ] |
If a mutli vsys environment is used, the set commands must include the “shared” keyword at the beginning:
1 2 3 4 5 6 7 8 |
set shared application-group g_ActiveDirectory [ active-directory dns kerberos ldap ms-ds-smb ms-netlogon ms-wmi msrpc netbios-dg netbios-ns netbios-ss ntp ] set shared application-group g_FileTransfer [ ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set shared application-group g_Print [ snmp zpl hp-jetdirect lpd ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set shared application-group g_AVAYA [ avaya-phone-ping dns h.225 h.323 icmp ldap ping rsvp rtcp rtp snmp snmp-trap ssl t.120 traceroute wccp ] set shared application-group g_PA-Management [ paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud panorama ssl dns ntp brightcloud smtp ] set shared application-group g_General-Management [ web-browsing ssl ssh citrix vmware ms-rdp ftp tftp snmp ] set shared application-group g_VPN-GlobalProtect [ ike ipsec ssl panos-global-protect panos-web-interface ] set shared application-group g_VPN-S2S [ ike ipsec ciscovpn ssl dtls ] |
That’s it. Did I miss something? If so, send me a comment. Thanks. ;)
[UPDATE] With PAN-OS 7.0 the syntax changed a bit. The keyword “members” is included in all lines. (Thanks to your comment, Chris.) Here is the updated list:
1 2 3 4 5 6 7 8 |
set application-group g_ActiveDirectory members [ active-directory dns kerberos ldap ms-ds-smb ms-netlogon ms-wmi msrpc netbios-dg netbios-ns netbios-ss ntp ] set application-group g_FileTransfer members [ ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_Print members [ snmp zpl hp-jetdirect lpd ms-ds-smb msrpc netbios-dg netbios-ss nfs portmapper rpc ] set application-group g_AVAYA members [ avaya-phone-ping dns h.225 h.323 icmp ldap ping rsvp rtcp rtp snmp snmp-trap ssl t.120 traceroute wccp ] set application-group g_PA-Management members [ paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud panorama ssl dns ntp brightcloud smtp ] set application-group g_General-Management members [ web-browsing ssl ssh citrix vmware ms-rdp ftp tftp snmp ] set application-group g_VPN-GlobalProtect members [ ike ipsec ssl panos-global-protect panos-web-interface ] set application-group g_VPN-S2S members [ ike ipsec ciscovpn ssl dtls ] |
My compliments for the site. I had the same idea to share application-groups I use.
About AD group, ms-wmi application is not needed.
For file sharing you miss ms-netlogon and netbios-ns. Not needed: nfs portmapper rpc
Some of applications are so called enabler apps. If not added you get warning when committed.
Regards,
Goran Katava
Hi,
thank you for the impression to make new groups via CLI :-)
But in my Pan OS 7.0.1 the command to add a new application group did’t work anymore.
I think the new command is:
set application-group g_VPN-S2S members [ ike ipsec ciscovpn ssl dtls ]
Can you also test it?
Regards,
Chris
Oh, this is correct. Thanks for you hint! I updated the post.