https://live.paloaltonetworks.com/t5/general-topics/upgrade-to-7-1-6-application-default-issue/m-p/137423#M47803 <P>Apple's services use SSL on NON-STANDARD ports (aka NOT 443); Services such as apple mail and different things like that.&nbsp;</P><P>&nbsp;</P><P>- monitor the sessions from a SSH session (putty) and try to find traffic that has a State of DISCARD</P><P>&gt; show session all filter state DISCARD</P><P><BR />- modified the policy that is dropping the traffic and change the policy's service to ANY or the specified service rather than APPLICATION-DEFAULT</P><P><BR />- we can also use the report in the ACC tab to get more information about traffic using non-standard ports: (ACC &gt; Threat Activity &gt; Applications Using Non Standard Ports | Rules Allowing Apps On Non Standard Ports)</P><P>&nbsp;</P><P>Hope this post helps.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>-JD</P> Fri, 13 Jan 2017 18:40:51 GMT JDominguez 2017-01-13T18:40:51Z https://live.paloaltonetworks.com/t5/general-topics/upgrade-to-7-1-6-application-default-issue/m-p/136845#M47713 <P>So the release notes for 7.1 say that&nbsp;"<SPAN>When you configure a Security policy rule with the Application setting </SPAN>Any<SPAN> and the Service setting </SPAN>application-default<SPAN>, all applications are now permitted only on their standard ports as defined in Palo Alto Networks </SPAN><A href="https://applipedia.paloaltonetworks.com/" target="_blank">Applipedia</A><SPAN>."&nbsp;</SPAN><SPAN>I thought that was the case previously but that is not the point of this post. &nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>What I found is that when using a policy with the Application set to any and the Service set application-default, traffic matches the policy and is allowed and shows in the traffic log as allowed and matching that policy. &nbsp;However, the traffic doesn't work. &nbsp;This has been the case on apple devices with gmail in the mail app. &nbsp;Created a new policy matching gmail-base with service set to any allows the traffic to match and now works. &nbsp;This is also the case with other apple devices with other apps.</SPAN></P><P>&nbsp;</P><P><SPAN>Perhaps it&nbsp;seems that the application is not being identified while using application-default? I don't know. &nbsp;If traffic is matching the any Application setting but the application is not sending over on default application ports, why does this create a policy match rather than letting the traffic be further check for a more specific policy? &nbsp;If this traffic matches a policy set to allow, then why is the traffic essentially blocked or denied without an accompanied log showing that the traffic is being blocked?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Anyone else having this experience on 7.1.x?&nbsp;</SPAN></P><P>&nbsp;</P> Tue, 10 Jan 2017 21:38:48 GMT https://live.paloaltonetworks.com/t5/general-topics/upgrade-to-7-1-6-application-default-issue/m-p/136845#M47713 jtuten 2017-01-10T21:38:48Z https://live.paloaltonetworks.com/t5/general-topics/upgrade-to-7-1-6-application-default-issue/m-p/137423#M47803 <P>Apple's services use SSL on NON-STANDARD ports (aka NOT 443); Services such as apple mail and different things like that.&nbsp;</P><P>&nbsp;</P><P>- monitor the sessions from a SSH session (putty) and try to find traffic that has a State of DISCARD</P><P>&gt; show session all filter state DISCARD</P><P><BR />- modified the policy that is dropping the traffic and change the policy's service to ANY or the specified service rather than APPLICATION-DEFAULT</P><P><BR />- we can also use the report in the ACC tab to get more information about traffic using non-standard ports: (ACC &gt; Threat Activity &gt; Applications Using Non Standard Ports | Rules Allowing Apps On Non Standard Ports)</P><P>&nbsp;</P><P>Hope this post helps.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>-JD</P> Fri, 13 Jan 2017 18:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/upgrade-to-7-1-6-application-default-issue/m-p/137423#M47803 JDominguez 2017-01-13T18:40:51Z