https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19981#M14559 <HTML><HEAD></HEAD><BODY><P>David,</P><P></P><P>It could also be that the handshake is completed. However, there may not be enough data in the bytes written to the firewall for the Palo Alto to correspond to an application. RSYNC uses SSL encrypt and is typically initiated via SSH. </P></BODY></HTML> Mon, 12 May 2014 16:59:42 GMT ZackCamp 2014-05-12T16:59:42Z https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19980#M14558 <HTML><HEAD></HEAD><BODY><P>I have a customer who is unable to access a site over port_873. When searching the traffic I see that the Source IP to Destination IP are being allowed over port 873 but the application is showing as incomplete. Now, I understand that this indicates that the handshake is not being completed most likely due to the distant end, but there are still some anomalies that have me scratching my head.</P><P></P><P>The rule that I see this traffic hitting:</P><P>Source Zone:: Inside&nbsp;&nbsp;&nbsp; Source: Any&nbsp;&nbsp; Destination Zone: Outside&nbsp;&nbsp; Destination: Any&nbsp;&nbsp; Application: SSL, Web-browsing&nbsp;&nbsp; Service: Any</P><P></P><P>My question:</P><P></P><P>Why would this traffic be hitting this rule when it is over port_873? Could it be that the traffic initially starts as 80/443 and then converts to 873?</P><P></P><P>Port_873: rsync file synchronisation protocol (official)</P></BODY></HTML> Mon, 12 May 2014 13:43:33 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19980#M14558 DaveCorwin 2014-05-12T13:43:33Z https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19981#M14559 <HTML><HEAD></HEAD><BODY><P>David,</P><P></P><P>It could also be that the handshake is completed. However, there may not be enough data in the bytes written to the firewall for the Palo Alto to correspond to an application. RSYNC uses SSL encrypt and is typically initiated via SSH. </P></BODY></HTML> Mon, 12 May 2014 16:59:42 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19981#M14559 ZackCamp 2014-05-12T16:59:42Z https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19982#M14560 <HTML><HEAD></HEAD><BODY><P>Hello Dave,</P><P></P><P>While you will initiate a connection for RSYNS application, the first few packets will choose the first available policy in the same direction, regardless of the application defined in the security-policy.&nbsp; As soon as PAN firewall identifies the application signature of the packet <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>App-ID), then it will switch into the appropriate security policy. </P><P></P><P>If you enable logging&nbsp; session for&nbsp; "Log at session start" in the security policy, it will be able to see the same behavior in traffic logs.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 12 May 2014 18:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19982#M14560 HULK 2014-05-12T18:04:15Z https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19983#M14561 <HTML><HEAD></HEAD><BODY><P>As Hulk mentions, the session starts with the first possible rule match.&nbsp; In your case that is the application ssl rule.</P><P></P><P>You should reorder you security policy list so that the specific rules like this one for the vpn appear first on the list.&nbsp; This prevents the application based rules from accidentally kicking in on the traffic as is apparently happening here.</P></BODY></HTML> Sun, 18 May 2014 11:42:56 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-question/m-p/19983#M14561 pulukas 2014-05-18T11:42:56Z