topic Re: Microsoft WNS App ID in Next-Generation Firewall Discussions

Microsoft WNS App ID

I.Stevkovski — Thu, 17 Jul 2025 06:26:11 GMT

I work with a network scenario where we have two firewall towards the internet and the desktop PCs are behind PaloAlto as perimeter and Cisco as internal firewall, so we can compare the same traffic whether it is identified properly or not.

It seems that PaloAlto has some problem identifying traffic from Windows Push Notification Service. Not all the sessions are properly identified, many of them are simply noted as unknown-tcp. Cisco doesn't seem to have a problem, i t is logged as Microsoft WNS, but Palo Alto does. Briefly I turned off SSL Decryption and maybe more sessions have been identified this way, but is it that much difficult to have App Signature for such a widespread application? Is it OK to allow unknown-tcp traffic to pass through? Why is it risk level 1?

Does anyone else has encountered such problem? And please share your experiance.

Re: Microsoft WNS App ID

treeef — Tue, 09 Sep 2025 20:21:50 GMT

Same exact issue here. No resolution on this end, unfortunately. I'm grabbing IPs from https://learn.microsoft.com/en-us/windows/apps/develop/notifications/push-notifications/firewall-allowlist-config and adding to a an unknown-tcp allow rule. It's only a temporary hack, though. The IPs can change, Microsoft says.

Re: Microsoft WNS App ID

I.Stevkovski — Wed, 10 Sep 2025 06:06:20 GMT

Permanently added hostname *.wns.windows.com in the SSL Decryption Exclusion and now all the sessions are properly identified. The firewall has problem with identifying it if decrypted, not with encrypted.

Re: Microsoft WNS App ID

treeef — Wed, 10 Sep 2025 16:19:43 GMT

That fixed it for us @I.Stevkovski! Thank you!