https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-app-id-windows-remote-management-showing-up/ta-p/514477 <DIV class="lia-message-template-content-zone"> <P><STRONG><EM><I data-stringify-type="italic">This article is based on a discussion,&nbsp;<SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/app-id-windows-remote-managment-showing-as-web-browsing/td-p/488232" target="_blank" rel="noopener">App-ID Windows Remote Management Showing Up As Web-Browsing</A>,</SPAN></I><I data-stringify-type="italic">&nbsp;posted by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5588">@Gun-Slinger</a>&nbsp;</I><I data-stringify-type="italic">and answered by the Support Team.</I><I data-stringify-type="italic">&nbsp;Read on to see the discussion and solution!</I></EM></STRONG></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Management traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?</P> </BLOCKQUOTE> <P>Solution:</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.</P> </BLOCKQUOTE> <P>&nbsp;</P> </DIV> Fri, 09 Sep 2022 21:35:10 GMT JayGolf 2022-09-09T21:35:10Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-app-id-windows-remote-management-showing-up/ta-p/514477 <DIV class="lia-message-template-content-zone"> <P><STRONG><EM><I data-stringify-type="italic">This article is based on a discussion,&nbsp;<SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/app-id-windows-remote-managment-showing-as-web-browsing/td-p/488232" target="_blank" rel="noopener">App-ID Windows Remote Management Showing Up As Web-Browsing</A>,</SPAN></I><I data-stringify-type="italic">&nbsp;posted by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5588">@Gun-Slinger</a>&nbsp;</I><I data-stringify-type="italic">and answered by the Support Team.</I><I data-stringify-type="italic">&nbsp;Read on to see the discussion and solution!</I></EM></STRONG></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Management traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?</P> </BLOCKQUOTE> <P>Solution:</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.</P> </BLOCKQUOTE> <P>&nbsp;</P> </DIV> Fri, 09 Sep 2022 21:35:10 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-app-id-windows-remote-management-showing-up/ta-p/514477 JayGolf 2022-09-09T21:35:10Z