https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51127#M37621 <HTML><HEAD></HEAD><BODY><P>You could write a specific rule just for the Sophos site ip address as a port based rule before the application rule. </P></BODY></HTML> Thu, 02 Apr 2015 09:56:26 GMT pulukas 2015-04-02T09:56:26Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51126#M37620 <HTML><HEAD></HEAD><BODY><P>IKE coming from a Sophos device is incorrectly identified as application ciscovpn instead of application ike.</P><P></P><P>Is this because Sophos uses cisco-ish protocol ? All I see in the logs is udp 500...</P><P></P><P>I'm happy allowing application ike, our other site-to-site vpn's work fine with it.</P><P>I'm not happy however with allowing ciscovpn, since that would open a bunch of other ports as well (source applipedia: tcp/500,2512,4500,10000, udp/500,4500,10000,62514-62524)</P><P></P><P>Has anyone noticed similar behaviour ? Can I do something about it ?</P></BODY></HTML> Wed, 01 Apr 2015 15:03:28 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51126#M37620 dieter_b 2015-04-01T15:03:28Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51127#M37621 <HTML><HEAD></HEAD><BODY><P>You could write a specific rule just for the Sophos site ip address as a port based rule before the application rule. </P></BODY></HTML> Thu, 02 Apr 2015 09:56:26 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51127#M37621 pulukas 2015-04-02T09:56:26Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51128#M37622 <HTML><HEAD></HEAD><BODY><P>That's what we did. But still, I would have expected it to work using only application ike...</P></BODY></HTML> Tue, 14 Apr 2015 08:56:53 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51128#M37622 dieter_b 2015-04-14T08:56:53Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51129#M37623 <HTML><HEAD></HEAD><BODY><P>This happens sometimes.&nbsp; Applications are classified based on the actual behavior and content of the packets.&nbsp; So the connection here was similar enough to the Cisco to make a match.</P><P></P><P>You could open a support case and provide the pcaps on the misclassification.&nbsp; Then the application signature might be able to be updated in a future release.</P></BODY></HTML> Tue, 14 Apr 2015 09:54:22 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-from-sophos/m-p/51129#M37623 pulukas 2015-04-14T09:54:22Z