https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/173987#M54722 <P>"web-browsing" and "ssl" only match generic HTTP/HTTPS traffic. &nbsp;If the firewall determines a more precise App-ID for the traffic, then it will switch to using that for determining whether to allow/deny the traffic, which may fail in mysterious ways. &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>For example, if you have a general "allow web traffic" Security Policy and use "web-browsing" in the rule, then very basic web traffic will be allowed. &nbsp;But, if someone accesses GMail, or Facebook, or Youtube, or click on a video link in a generic web page, than the firewall will notice and match that traffic to the google-base, or google-mail, or facebook-base, or youtube, or streaming-video App-ID, none of which are listed in the rule, and block the traffic. &nbsp;Which leads you down a rabit hole of "access website, check logs for what app is shown, update rule, keep browsing, rinse and repeat". &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>We ran into this issue trying to get regular ol'Moodle courses working correctly using application matching. &nbsp;Once the list got beyond 6 or 7 difference applications, we switched to just allowing straight port 80/443 traffic through.</P><P>&nbsp;</P><P>There are situations where the application matching really helps (video conferencing, for example), and situations where it really doesn't (a general "allow web traffic" rule). &nbsp;It depends on how specific you need the rule to be.</P> Wed, 30 Aug 2017 20:58:37 GMT fjwcash 2017-08-30T20:58:37Z https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/173939#M54704 <P>HI in what Rule Scenario&nbsp; woulld 80/443 vs using ssl/web-browsing be used. And why wouldnt app for ssl and web-browsing not work but prot 80/443 work</P> Wed, 30 Aug 2017 18:14:55 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/173939#M54704 clyde.franklin 2017-08-30T18:14:55Z https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/173987#M54722 <P>"web-browsing" and "ssl" only match generic HTTP/HTTPS traffic. &nbsp;If the firewall determines a more precise App-ID for the traffic, then it will switch to using that for determining whether to allow/deny the traffic, which may fail in mysterious ways. &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>For example, if you have a general "allow web traffic" Security Policy and use "web-browsing" in the rule, then very basic web traffic will be allowed. &nbsp;But, if someone accesses GMail, or Facebook, or Youtube, or click on a video link in a generic web page, than the firewall will notice and match that traffic to the google-base, or google-mail, or facebook-base, or youtube, or streaming-video App-ID, none of which are listed in the rule, and block the traffic. &nbsp;Which leads you down a rabit hole of "access website, check logs for what app is shown, update rule, keep browsing, rinse and repeat". &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>We ran into this issue trying to get regular ol'Moodle courses working correctly using application matching. &nbsp;Once the list got beyond 6 or 7 difference applications, we switched to just allowing straight port 80/443 traffic through.</P><P>&nbsp;</P><P>There are situations where the application matching really helps (video conferencing, for example), and situations where it really doesn't (a general "allow web traffic" rule). &nbsp;It depends on how specific you need the rule to be.</P> Wed, 30 Aug 2017 20:58:37 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/173987#M54722 fjwcash 2017-08-30T20:58:37Z https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/174342#M54785 <P>Instead of opening port 80/443 create application filter to dynamically group applications together and add filter into the &nbsp;rule.</P><P>Objects &gt; Application Filters</P><P>&nbsp;</P><P><A title="https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/create-an-application-filter" href="https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/create-an-application-filter" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/create-an-application-filter</A></P> Fri, 01 Sep 2017 13:15:12 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-scenario-80-443-vs-using-ssl-web-browsing/m-p/174342#M54785 Raido_Rattameister 2017-09-01T13:15:12Z