topic Erroneous application port in General Topics

Erroneous application port

tglear — Fri, 28 Apr 2017 19:56:46 GMT

I am getting a deny statement for port 8531 for application ssl. 8531 is for ms-update and my policy allows that but the default policy is denying it because it is tying it to ssl for some strange reason. I don't know how to get around that.

Re: Erroneous application port

BPry — Fri, 28 Apr 2017 20:08:51 GMT

What app-version are you running? I haven't seen this issue come across at all.

Temp workarounds:

1) Create an application override policy that specifies Microsoft's IP range and override port 8531 to ms-update instead of ssl.

2) Create a custom security policy for the traffic and you don't need to create an override policy.

Really do verify that this is actually ms-update traffic though and pass along your app-version so that we know what version you are on.

Re: Erroneous application port

TranceforLife — Fri, 28 Apr 2017 20:18:56 GMT

What PAN-OS are you on? Try to change the "services" tab to any

Re: Erroneous application port

reaper — Tue, 02 May 2017 06:48:02 GMT

if you're seeing ssl blocked on that port, this means there's an ssl session being initiated on that port, possibly something trying to bypass a traditional port based firewall (ssl will be detected if the packets have the appropriate behavior for ssl, client hello etc. )

if you want to figure out what exactly is hitting your firewall, you can set up a packetcapture for that port and see what comes out. most likely something is sending a client hello

you may not want to 'get around that' until you can determine what exactly is going on, this may be C&C from an infected host