topic active-directory-base application isn't match traffic when services/URL Category is set to &quot;application-default&quot; in security rule in General Topics https://live.paloaltonetworks.com/t5/general-topics/active-directory-base-application-isn-t-match-traffic-when/m-p/467013#M102742 <P>Hello,</P><P>I use a Firewall at version 10.0.8-h8. I wrote a rule to allow the application "active-directory-base" (which contains several ports) in the application section then "application-default" in the services/URL category section as recommended by PA.</P><P>&nbsp;</P><P>The observation I made is that the flow never matches this rule. It is even dropped by the inter-zone rule.</P><P>&nbsp;</P><P>When I change "application-default" by "any" in the services/URL category table, it works fine.</P><P>&nbsp;</P><P>Do you have an explanation for this behavior?</P><P>#strata&nbsp;</P> Sun, 20 Feb 2022 11:46:57 GMT Ouattara 2022-02-20T11:46:57Z active-directory-base application isn't match traffic when services/URL Category is set to "application-default" in security rule https://live.paloaltonetworks.com/t5/general-topics/active-directory-base-application-isn-t-match-traffic-when/m-p/467013#M102742 <P>Hello,</P><P>I use a Firewall at version 10.0.8-h8. I wrote a rule to allow the application "active-directory-base" (which contains several ports) in the application section then "application-default" in the services/URL category section as recommended by PA.</P><P>&nbsp;</P><P>The observation I made is that the flow never matches this rule. It is even dropped by the inter-zone rule.</P><P>&nbsp;</P><P>When I change "application-default" by "any" in the services/URL category table, it works fine.</P><P>&nbsp;</P><P>Do you have an explanation for this behavior?</P><P>#strata&nbsp;</P> Sun, 20 Feb 2022 11:46:57 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-base-application-isn-t-match-traffic-when/m-p/467013#M102742 Ouattara 2022-02-20T11:46:57Z Re: active-directory-base application isn't match traffic when services/URL Category is set to "application-default" in security rule https://live.paloaltonetworks.com/t5/general-topics/active-directory-base-application-isn-t-match-traffic-when/m-p/467190#M102764 <P>do the ports used by the sessions match the default ports listed in active-directory-base&nbsp;</P> <P><LABEL id="ext-gen2292" class="x-form-item-label" for="ext-comp-2345"><STRONG>Standard Ports:&nbsp;&nbsp;</STRONG></LABEL></P> <DIV id="x-form-el-ext-comp-2345" class="x-form-element"> <DIV id="ext-comp-2345" class=" x-form-display-field">tcp/1025-5000, tcp/135,138,139,389,445,464,636, tcp/49152-65535, tcp/5722,9389, udp/88,123,137,138,389,445,464,2535</DIV> </DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>and did you allow the dependencies in another rule?</P> <P><LABEL id="ext-gen2296" class="x-form-item-label" for="ext-comp-2349"><STRONG>Depends on:&nbsp;&nbsp;</STRONG></LABEL></P> <DIV id="x-form-el-ext-comp-2349" class="x-form-element"> <DIV id="ext-comp-2349" class=" x-form-display-field">kerberos, ms-ds-smb-base, ms-netlogon, netbios-dg, netbios-ns, netbios-ss</DIV> </DIV> Mon, 21 Feb 2022 11:57:08 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-base-application-isn-t-match-traffic-when/m-p/467190#M102764 reaper 2022-02-21T11:57:08Z