https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/245#M200 <HTML><HEAD></HEAD><BODY><P>Hi Laurent,</P><P></P><P>You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.</P><P></P><P>If you want to block everything except ping , you may keep an explicit deny rule at the bottom.</P><P></P><P>Thanks</P><P>Parth</P></BODY></HTML> Fri, 11 Nov 2011 09:14:08 GMT ppatel 2011-11-11T09:14:08Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/244#M199 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have defined a rule that allow pings (using the "ping" application). However there are a lots of other applications that flows through this rule, even "web-browsing" !!!</P><P></P><P>How is this possible ?</P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Fri, 11 Nov 2011 08:39:08 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/244#M199 ldormond 2011-11-11T08:39:08Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/245#M200 <HTML><HEAD></HEAD><BODY><P>Hi Laurent,</P><P></P><P>You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.</P><P></P><P>If you want to block everything except ping , you may keep an explicit deny rule at the bottom.</P><P></P><P>Thanks</P><P>Parth</P></BODY></HTML> Fri, 11 Nov 2011 09:14:08 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/245#M200 ppatel 2011-11-11T09:14:08Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/246#M201 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Thanks for your help.</P><P></P><P>I want to know why I have other applications that are matched by my ping rule. See printscreen attached.</P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Fri, 11 Nov 2011 09:45:41 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/246#M201 ldormond 2011-11-11T09:45:41Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/247#M202 <HTML><HEAD></HEAD><BODY><P>Looking at your traffic log and the rule I would advise you to open a case with support. This merits closer examination.</P><P></P><P>Thank you,</P><P></P><P>Benjamin</P></BODY></HTML> Fri, 11 Nov 2011 21:17:34 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/247#M202 bpappas 2011-11-11T21:17:34Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/248#M203 <HTML><HEAD></HEAD><BODY><P>Hi Laurent,</P><P></P><P>Can you change the service to use application default and appliction to ping and try to see what results you get.</P><P></P><P>You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.</P><P></P><P>Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?</P><P></P><P>Logs show</P><P></P><P>(1) 10.120.134.28 that uses application SiteScope Jmx collection</P><P>(2)&nbsp; 10.120.120.56 that uses application ping</P><P>(3) 145.232.250.140/141&nbsp; that uses web-browsing</P><P></P><P>Thanks</P><P>Parth</P></BODY></HTML> Fri, 11 Nov 2011 21:35:23 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/248#M203 ppatel 2011-11-11T21:35:23Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/249#M204 <HTML><HEAD></HEAD><BODY><P>Hi Parth,</P><P></P><P>Indeed, when setting service to "application-default" it's much better. No more heterogenous traffic. The only other traffic I get is "incomplete".</P><P></P><P>Thanks for your help.</P><P></P><P>However I don't really understand why application signature was not sufficient in this case...</P><P></P><P>Regards,,</P><P></P><P>Laurent</P></BODY></HTML> Tue, 15 Nov 2011 08:13:02 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/249#M204 ldormond 2011-11-15T08:13:02Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/250#M205 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Do you have any news on that topic.</P><P>We experienced the same issue here in 4.1.6 version.</P><P>regards,</P><P></P><P>Joseph</P></BODY></HTML> Wed, 07 Nov 2012 11:06:19 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/250#M205 joseph.morel 2012-11-07T11:06:19Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/251#M206 <HTML><HEAD></HEAD><BODY><P>Are my eyes playing with me or isnt the second to last rule basically an "any any allow" (which would explain why traffic is let through) looking at the picture provided by&nbsp; <SPAN class="j-post-author "><STRONG><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="4718" data-username="ldormond" href="https://live.paloaltonetworks.com/people/ldormond" id="jive-471823630074060957943">ldormond</A>&nbsp; </STRONG>&nbsp; Nov 11, 2011 10:45 AM </SPAN>?</P></BODY></HTML> Wed, 07 Nov 2012 11:47:36 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/251#M206 mikand 2012-11-07T11:47:36Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/252#M207 <HTML><HEAD></HEAD><BODY><P>Yes but the rule which is matched in the log is the ping one</P></BODY></HTML> Wed, 07 Nov 2012 12:34:09 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/252#M207 joseph.morel 2012-11-07T12:34:09Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/253#M208 <HTML><HEAD></HEAD><BODY><P>Ahh <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>What if you 1) ping 2) do some web-browsing (or whatever) from a srcip which belongs to grp-cisco-css towards a dstip which belongs to grp-addi-web?</P><P></P><P>Will the traffic log then (for the 2nd case above) display "Keep_Alive_CSS" as rulehit or "ALLOW ANY FROM XDMZ" (or whatever the rules are named in your case)?</P><P></P><P>Im thinking that the compiler incorrectly merged (by optimization) the "any any allow" rule with the first occurance where this srcip/dstip combo exists (like some inverse shadow rule) so the wrong rulehit is displayed (I mean security wise its correct beause you do have a "any any accept" (which in most cases is bad) but the incorrect rule is being blamed for why traffic was let through)?</P></BODY></HTML> Thu, 08 Nov 2012 04:24:54 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/253#M208 mikand 2012-11-08T04:24:54Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/254#M209 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for your help guys, but I currently have no more access to the device.</P><P></P><P>But I had set the service to "application-default" instead of "any" as suggested by Parth and the issue was resolved.</P><P></P><P>Regards</P></BODY></HTML> Wed, 21 Nov 2012 14:18:51 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-application-goes-to-specific-rule/m-p/254#M209 ldormond 2012-11-21T14:18:51Z