7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist

Information

Create security policies specifying application-default for the Service setting, or the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.
Rationale:
App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.
Because of how App-ID works, configuring the service Setting to "Any" allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic.

Solution

Navigate to Policies > Security.
Set a Security Policy that has:
Source:
Zone set to OUTSIDE
Address set to any
Destination:
Zone set to DMZ
Address set to <DMZ IP Address>
Application set to web-browsing
Service set to application-default and NOT to any
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: Palo_Alto

Control ID: 0ebc443dc4068d78a1f94f4d593eae798da1cfd38beab424711f390054664a10