topic Has anybody encountered a situation where a rule was configured for one application but matched other applications? in General Topics

Has anybody encountered a situation where a rule was configured for one application but matched other applications?

palo_al — Wed, 13 Aug 2014 11:17:14 GMT

I have the following rule

I used 'any' as the service because we have web servers running on multiple ports and not just on the default.

While it does match ssl and web-browsing traffic as expected, it also matches unexpected application traffic like the following

I don't understand why it would match oracle traffic. Any ideas?

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

_slv_ — Wed, 13 Aug 2014 11:20:36 GMT

It's because You put ANY as a service. Please put there app-default and oracle shouldnt hitted this rule.

Explanation is that oracle using probably SSL. Corect me if I'm wrong.

Regards

Slawek

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

palo_al — Wed, 13 Aug 2014 11:26:31 GMT

The reason we have any is we have a few dozen virtual web servers running on different ports so I was hoping not to enumerate every single port.... I guess I'll have to start typing then :smileygrin:

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

_slv_ — Wed, 13 Aug 2014 11:31:21 GMT

Yes ... or create more security rules, ie. one per server with this server in Destination address field.

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

ericgearhart — Wed, 13 Aug 2014 11:41:02 GMT

Excuse me but this is a totally bogus explanation... so what if he put service any? The whole point of App-ID is to be port agnostic, that's how the product was sold to us. The replies above make no sense to me.

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

_slv_ — Wed, 13 Aug 2014 11:44:07 GMT

Hi Ericgearhart

If I'm wrong - please put here Your explanations.

So in your opinion its improperly identyfied aplication or so?

Regards

Slawek

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

reaper — Wed, 13 Aug 2014 11:49:21 GMT

out of curiousity, would you mind checking if you have log "at start" enabled and if the logs you see hitting the wrong rule are start or end logs

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

FJU-ITCS — Wed, 13 Aug 2014 11:50:33 GMT

I must correct Slawek, if you put ANY to service, it's mean this application WITH any Port and not ANY application on any port. So you did it right.

The Problem what Slawek think, is the dependence in the Applications, if you put for example the application icq to the rule it will be automaticly allow the application ssl & web-browsing. But only if you don't have a deny any Rule at the end.

Back to your Problem with Oracle, with version do you have installed? PAN-OS and Application&Threats?

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

ericgearhart — Wed, 13 Aug 2014 12:03:11 GMT

slv - see FJU's response below. I totally agree with what FJU says below

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

palo_al — Wed, 13 Aug 2014 12:18:33 GMT

I only have 'log at session end' enabled

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

palo_al — Wed, 13 Aug 2014 12:21:32 GMT

PAN OS version 6.0.3 , Apps version 449-2321

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

DaveCorwin — Wed, 13 Aug 2014 12:26:49 GMT

Incorrect sir...setting service to "ANY" will only allow for the traffic to traverse any port that still matches the specified application. Based off your logic, there would be no need to specify the application.

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

palo_al — Thu, 14 Aug 2014 16:05:41 GMT

I just put in another rule to match the oracle traffic on port 1522. The traffic doesn't get matched by my ssl/web-browsing rule anymore.

It still doesn't explain how a rule configured with an ssl or web-browser application could match oracle traffic.

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

tshiv — Fri, 15 Aug 2014 04:51:34 GMT

The behavior is quite odd. Usually, if there is application shift i.e application is first identified as web-browsing and later after the firewall has seen more packets, the same traffic gets identified as oracle, it should trigger a second policy look-up. Clearly this is not happening. If the issue is still persisting, i would suggest opening up a ticket with support.

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

_slv_ — Fri, 15 Aug 2014 08:41:09 GMT

Hi FJU

You read from my mind

I thought that Palo_al has more security rules (below is more narrow rules especially for oracle application) but was curious why this traffic hitting this rule.

So Your explanation is correct.

I'm fighting with support with ammy-admin and backup-exec application aren't correctly identified by PAN OS. So maybe it's happened to You too.

Regards

Slawek

Re: Has anybody encountered a situation where a rule was configured for one application but matched other applications?

Fri, 15 Aug 2014 17:20:52 GMT

Yup that doesn't make any sense. I suggest you open a case if you haven't. As a test, you can put a deny all rule at the bottom and see if oracle is still being allowed but make sure you've allowed EVERYTHING that you need because you'll see a lot of blocked traffic which will cause issues with your users. Probably do that after hours. Hope that helps.