Outbound blocking of incomplete applications

CastawayKid — Thu, 24 Oct 2024 21:26:33 GMT

I have security rules in place to block applications such as 'msrpc-base' and 'ms-rdp' from exiting the network. However, I still see logs showing traffic egressing to ports 135 and 3389 with the application being listed as 'incomplete' and session end reason as 'aged-out'. Is this a concern? Should I be creating rules to block the protocol/port combo instead?

Re: Outbound blocking of incomplete applications

Adrian_Jensen — Thu, 24 Oct 2024 21:37:32 GMT

If you want a complete block from the start on well-known services, yes block by the Service (aka protocol/port). The application filters can not categorize packets until a sufficient amount of traffic has passed in the session, so packets will continue until the application can be ID'd and rules re-evaluated. The application filters can be handy for ID'ing traffic on non-standard ports (assuming you do not have "application-default" turned on in the service), or traffic which changes after establishing, but they don't automatically assume new port based traffic matches.

topic Outbound blocking of incomplete applications in Next-Generation Firewall Discussions

Outbound blocking of incomplete applications

Re: Outbound blocking of incomplete applications