Common Palo Alto Application Groups

There are a few application groups that I am almost always using at the customer’s site. These are groups for Microsoft Active Directory, file transfer, and print. Furthermore, I am using a group for all of the Palo Alto Networks management applications itself, a general management group, and two different groups for VPNs (GlobalProtect and site-to-site). Finally, I tested a group for the AVAYA VoIP systems.

Following are the set commands for these groups so that anyone can easily configure them through the CLI.

Some Notes

  • These groups are used with PAN-OS 6.0.5 and Apps & Threats version 464-2415. Of course, there should be no problem using them in later versions.
  • I know that they are big in size. They could be smaller for certain applications, such as print or file transfer if only one kind ot these apps is needed. However, since I use them merely for traffic through internal networks, I am not that much afraid of a rule that allows one or two applications too much.
  • I am using the PA-Management group for traffic generated by the management interface of the PA with a direction to internal networks and the Internet.
  • The General-Management can be used for many admin accesses.
  • The VPN-S2S group is used for site-to-site VPNs. Some of these IPsec tunnels to Cisco devices are recognized as “ciscovpn”. And since “ciscovpn” requires “ssl” and “dtls” to commit without any application-dependency-warnings, they are included in that group, too, though not needed.

Application Groups

To load these application groups into a Palo Alto firewall, enter the configure mode and paste the following lines into it:

 

If a mutli vsys environment is used, the set commands must include the “shared” keyword at the beginning:

That’s it. Did I miss something? If so, send me a comment. Thanks. ;)

[UPDATE] With PAN-OS 7.0 the syntax changed a bit. The keyword “members” is included in all lines. (Thanks to your comment, Chris.) Here is the updated list:
[/UPDATE]

3 thoughts on “Common Palo Alto Application Groups

  1. My compliments for the site. I had the same idea to share application-groups I use.

    About AD group, ms-wmi application is not needed.

    For file sharing you miss ms-netlogon and netbios-ns. Not needed: nfs portmapper rpc
    Some of applications are so called enabler apps. If not added you get warning when committed.

    Regards,

    Goran Katava

  2. Hi,
    thank you for the impression to make new groups via CLI :-)
    But in my Pan OS 7.0.1 the command to add a new application group did’t work anymore.
    I think the new command is:

    set application-group g_VPN-S2S members [ ike ipsec ciscovpn ssl dtls ]

    Can you also test it?

    Regards,
    Chris

Leave a Reply

Your email address will not be published. Required fields are marked *