https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113921#M45260 <P>I think when I configure the destination by IP only the rules not match as now I put /32 on the destination IP that made the rule match</P> Fri, 16 Sep 2016 20:39:44 GMT mikealanni 2016-09-16T20:39:44Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113890#M45253 <P>We have in-house software that uses secure-telnet port 992 and that has been blocked after the 7.1.4-h2 upgrade. I've created a rule to pass the traffic to the destenation address with any application any service but never help, the logs said reset both by internzone rule, only changing interzone rule to allow will let the application communicate. &nbsp;Even I did appliaction override on the SSL with destinationa port and address not helped me at all.</P><P>&nbsp;</P><P>Please any clue how to fix this?</P><P>&nbsp;</P><P>Mike</P> Fri, 16 Sep 2016 17:31:03 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113890#M45253 mikealanni 2016-09-16T17:31:03Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113899#M45254 <P>Hi,</P><P>&nbsp;</P><P>What version of PAN-OS you had before?&nbsp;</P><P>Can you post screenshot of the policy and deny logs please.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 16 Sep 2016 17:39:19 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113899#M45254 TranceforLife 2016-09-16T17:39:19Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113904#M45255 <P>7.0.5h2</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline"><img /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/5601iA60DD1AD073A2B10/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> Fri, 16 Sep 2016 17:46:38 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113904#M45255 mikealanni 2016-09-16T17:46:38Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113905#M45256 <P>Hi,</P><P>&nbsp;</P><P>Thanks. So your traffic is denied by default policy cause it does not match any other policy. Can you show me a policy config pls for this particular session?&nbsp;What was your policy before an upgrade? Did you try to create a rule with SSL app and destination port 992. I understand you have tried&nbsp;any any but l had strange behaviour, similar to yours. So when l created rule to be more specific&nbsp;it worked for me.</P> Fri, 16 Sep 2016 18:29:44 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113905#M45256 TranceforLife 2016-09-16T18:29:44Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113915#M45257 <P>I tried specific rule to destenation IP and a service with the port on both UDP and TCP, then tried application SSL then tried unknow-tcp and unknown-udp all togehter nothing works. my default inside to outside rule is any application with default application with profiles.</P> Fri, 16 Sep 2016 19:09:23 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113915#M45257 mikealanni 2016-09-16T19:09:23Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113917#M45258 <P>Ok.&nbsp;So from what l understood you have a policy inside &gt;outside with application "any" and the service "<SPAN>application-default".</SPAN></P><P>&nbsp;</P><P><SPAN>So PAN-OS 7.1 changes the behaviour for the policy with&nbsp;application-default specified. See below:</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-application-default/ta-p/75664" target="_blank">https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-application-default/ta-p/75664</A></SPAN></P><P>&nbsp;</P><P><SPAN>Your policy will allow any APPs but only on the default ports. From the logs, we can see that you have SSL as an application but 992 as a port. Default&nbsp;inter-zone has any any that is why it is permitting your traffic.</SPAN></P><P>&nbsp;</P><P><SPAN>Thx,</SPAN></P><P><SPAN>Myky</SPAN></P> Fri, 16 Sep 2016 19:34:56 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113917#M45258 TranceforLife 2016-09-16T19:34:56Z https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113921#M45260 <P>I think when I configure the destination by IP only the rules not match as now I put /32 on the destination IP that made the rule match</P> Fri, 16 Sep 2016 20:39:44 GMT https://live.paloaltonetworks.com/t5/general-topics/os-7-1-blocking-telnet-over-ssl/m-p/113921#M45260 mikealanni 2016-09-16T20:39:44Z