topic Re: unknown-tcp / udp - please explain in General Topics

unknown-tcp / udp - please explain

cryptochrome — Fri, 17 May 2013 20:58:22 GMT

Hi,

I know that these two applications stand for unrecognized traffic. It worries me though that for some of the other applications to work, I have to add unknown-tcp/udp to the firewall rule. Example for this would be Bittorrent traffic. To allow Bittorrent, I also have to allow web-browsing and unknown-tcp and unknown-udp.

Can someone please elaborate on this? If I only want to allow Bittorrent, but also add web-browsing and unknown-tcp, I will open up the firewall for unwanted traffic. I really have a hard time understand this concept.

Thanks

Re: unknown-tcp / udp - please explain

kfindlen — Fri, 17 May 2013 21:21:35 GMT

Allowing unknown-tcp/udp to allow BitTorrent traffic should not be required. On my device I have utilized BitTorrent with and without encryption over the last few weeks and the traffic logs show that none of the sessions are being identified as unknown-tcp/udp. It's possible this issue is specific to the torrent you are accessing.

The web-browsing component could be required for the tracker communication which can utilize HTTP.

If you see this issue on the latest content then I would recommend opening a support case for investigation.

Re: unknown-tcp / udp - please explain

NGS_SOC — Sat, 18 May 2013 09:00:19 GMT

Bittorent doesn't depend on unknown tcp/udp, only web-browsing on tcp/udp dynamic ports. If you have 5.0.x this dependence is already done, otherwise a rule has to be inserted for allowing web-browsing before bittorent.

Verify the app dynamic update (latest 373-1793) and in case of other error/warning during commit also I suggest opening a support case.

Re: unknown-tcp / udp - please explain

cryptochrome — Sat, 18 May 2013 10:07:40 GMT

Ok, you are right, there are no warnings anymore about uknown-tcp on commit. However, you are saying that 5.0 automatically resolves those dependencies, does that mean it will actually include the needed services without me specifying them in the rule? That would mean it will still open unknown-tcp/udp.

Bittorrent was just an example. I've seen this dependency with other apps as well. If other apps rely on unknown-tcp/udp, doesn't that make the whole thing completely insecure? I am opening up the firewall for unknown traffic.

Re: unknown-tcp / udp - please explain

NGS_SOC — Sat, 18 May 2013 11:39:18 GMT

In PANOS 4.x all application dependencies have to be explicit allowed in security rules, otherwise warning during may appear and related application could not work properly. Sometimes in large scale this requirement could be annoying or worse.

Version 5.0.x changes this behavior allowing application dependencies if they are granular web-browsing, ssl, ftp and few more. Never unknown traffic, if needed, this have to be allowed with an explicit rule.

Re: unknown-tcp / udp - please explain

cryptochrome — Sat, 18 May 2013 12:33:02 GMT

So that means, if there are dependencies:

1.) It will resolve them automatically and add the needed services, invisible to the user.

2.) Because of that, I don't what what I actually allow through my firewall.

Excuse my ignorance, but are you guys serious?

Re: unknown-tcp / udp - please explain

NGS_SOC — Sat, 18 May 2013 13:48:52 GMT

I quote what is reported in PANOS v.5 release note:

Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies.

This means that few applications can use this enchantment and you never allow unwanted applications. Be aware of how PA recognize application: for example application facebook relies on web-browsing because before facebook the frewall recognize in fact web-browsing app. So the programmer ask themself why not having an implicit application allowing?

Please do not mix together app and service (ports) these are different variables in security rules, as an advice try to use always application defaults as policy enforcement.

If you keep log option for security rule you are always able what traversed the firewall. Also always in session browser (cli/gui) you can see which kind of app traffic is flowing even with a permit all policy, this is the strength of these devices.

Re: unknown-tcp / udp - please explain

K_Celenza — Sat, 18 May 2013 14:30:32 GMT

Is this the same cryptochrome from the infamous why "NSM is a piece of crap" forum? I happened to be the first one to reply to that post.

Re: unknown-tcp / udp - please explain

cryptochrome — Sat, 18 May 2013 16:40:02 GMT

yep. that's the same Cryptochrome :smileygrin:

Re: unknown-tcp / udp - please explain

mikand — Sun, 19 May 2013 20:49:48 GMT

Slightly off-topic but I guess this is the thread you both are refering to ? 🙂

Want some examples why NSM is a piece of junk? - J-Net Community

Re: unknown-tcp / udp - please explain

ericgearhart — Mon, 20 May 2013 01:26:27 GMT

Wow nice thread there I love that kind of candid, to the point feedback

Re: unknown-tcp / udp - please explain

cryptochrome — Mon, 20 May 2013 10:03:06 GMT

I was really upset when I wrote that thread and I might have become too rude throughout the discussion, but I've had it with Juniper back then. Their NSM caused so much trouble it was unbelievable. Unfortunately, the same still holds true today. I just had a major crash on NSM two weeks ago from a failed DMI schema update. I love the SRX for it's concept and the beauty of Junos, but NSM is destroying that platform for me and a lot of my customers.

Anyways. This probably doesn't belong here.

Re: unknown-tcp / udp - please explain

ericgearhart — Mon, 20 May 2013 13:12:07 GMT

Hey man, no need to apologize, sometimes my passion bubbles a little too close to the surface too

Re: unknown-tcp / udp - please explain

ericgearhart — Mon, 20 May 2013 13:39:55 GMT

Back on topic... this is what my PA-500 just threw at me for the 'share-p2p' App-ID on PANOS 4.1.12:

VSYS1

vsys1: Rule 'Allow all with threat' application dependency warning:

Application 'share-p2p' requires 'unknown-tcp' be allowed

(Module: device)

Configuration committed successfully

So yes, the original poster (cryptochrome) was correct in saying that for certain App-IDs, 'unknown-tcp' needs to be turned on. And I completely agree with him that "that's messed up" - I have to turn on 'unknown-tcp' for certain App-IDs to work? Say what?

Re: unknown-tcp / udp - please explain

cryptochrome — Mon, 20 May 2013 14:10:41 GMT

Yep. That's what worries me too. In PanOS 5.0 these dependencies are automatically resolved (so you actually never see what the firewall is really opening up). says that it will never be unknown-tcp that would be resolved, but why did 4.x need unknown-tcp and 5.0 does not? Where is this documented? I find this really scary.

Re: unknown-tcp / udp - please explain

NGS_SOC — Mon, 20 May 2013 14:31:23 GMT

From PAN-EDU-201 v.5 rev A MOD 4 APP-Id slide 26

PAN-OS implicitly allows parent applications for a set of commonly used applications

Requiring that dependencies be allowed in order to enable an application can often allow more traffic than intended. For example, enabling access to web-browsing just to allow facebook-base allows users to browse other sites, requiring the administrator to configure other policies to regulate this access.

PAN-OS addresses this concern by implicitly allowing dependencies for a set of commonly used applications to streamline the security policy process. Implicit permissions of a parent application are only handled if there is no match with an explicit rule.

The complete list of implicitly allowed applications can be found in Appendix B of this manual.

Appendix B

Allowed Application

• software-update apps
• business-systems apps (e.g., erp-crm, storage-backup, sharepoint)
• web-mail apps, IMs, social-networking
Implicit >> web-browsing

Apps identified in rpc decoder with a specific program ID (e.g., mount, nfs, portmapper, ibm-clearcase)
Implicit >> rpc

Apps identified in msrpc decoder with specific UUID (e.g., ms-exchange, active-directory, arcserve)
Implicit >> msrpc

msrpc
Implicit >> ms-ds-smb

ms-ds-smb
Implicit >> netbios-ss

Apps identified in rtsp decoder based on uri path in first request message (including custom apps)
Implicit >> rtsp

Apps identified in rtmp decoder based on uri path in the first request packet (e.g., bbc-iplayer)
Implicit >> rtmp, rtmpt

Media streaming apps (e.g., napster, megavideo)
Implicit >> flash

ms-rdp, msn-remote-desktop
Implicit >> t.120

Apps identified based on SSL hello or certificate in the response.
Ssh can remain in both uses-apps and implicit-uses-apps
Implicit >> ssl

yahoo-voice, gtalk-voice, msn-voice, msn-video, facetime
Implicit >> stun

several IM apps
Implicit >> jabber

gotomeeting, gotomypc, gotoassist
Customer is not expected to understand internals about Citrix ICA/Jedi
Implicit >> citrix/citrix-jedi

Never allowed unknown udp/tcp, I hope this could hlep

Re: unknown-tcp / udp - please explain

jvalentine — Mon, 20 May 2013 14:53:14 GMT

So yes, the original poster (cryptochrome) was correct in saying that for certain App-IDs, 'unknown-tcp' needs to be turned on. And I completely agree with him that "that's messed up" - I have to turn on 'unknown-tcp' for certain App-IDs to work? Say what?

This is an uncommon case. Reading-up on Share-P2P, it looks like it's all encrypted traffic - which probably makes it impossible to create a signature-based App-ID. I'm guessing the heuristics engine is what eventually detects this app, but until then it's identified as unknown-tcp. I'm not aware of any "business"-class apps that require unknown-tcp to also be allowed.

If you really must use this in your environment, then it would probably be a good idea to limit its use to specific users/computers/zones.

Re: unknown-tcp / udp - please explain

ericgearhart — Mon, 20 May 2013 14:56:25 GMT

jvalentine wrote:

If you really must use this in your environment, then it would probably be a good idea to limit its use to specific users/computers/zones.

Honestly you're right, I don't have a business use case for this one. It was just an observation (I happened to be building an App-ID filter for Breaking Point testing I'm doing and I noticed that warning when I pushed the commit job)

Re: unknown-tcp / udp - please explain

cryptochrome — Mon, 20 May 2013 15:03:35 GMT

Thanks . What I still don't understand after reading this:

Say I have a rule base that does not allow web-browsing at all. Now I add a rule that allows facebook-base. Since facebook-base also needs web-browsing, it resolves this dependency and invisibly adds we-browsing to the facebook-base rule. So I now have a rule that allows web-browsing plus facebook-base. Does that mean that any web-browsing to any destination is now allowed? Or ist it smart enough to actually only allow web-browsing to facebook?

Re: unknown-tcp / udp - please explain

jvalentine — Mon, 20 May 2013 15:19:03 GMT

With 5.0, PAN-OS only allows just enough web-browsing in order to enable facebook-base. It won't permit other non-facebook web-browsing activities.

This type of rule was also possible with 4.1, but was a major pain. You had to create a custom URL category that contained things like facebook.com, *.facebook.com, fbcdn.com, etc. etc. Then you needed two firewall rules:

- from trust to untrust application=web-browsing SERVICE/URL CATEGORY="new custom FB category" action=allow

- from trust to untrust application=facebook-base action=allow

The first rule allowed web-browsing only to domains listed in that custom category, which would be enough to let the App-ID shift into facebook-base. The 5.0 code does the same thing, but without the complexity.

(Coincidently, this is one of those few times where it is extremely useful to use URL CATEGORY as match criteria in the firewall rule.)