https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185230#M56694 <P>If there is an application default configured as a service on the Security Policy that allows symantec-endpoint-manager traffic, the Palo Alto firewall will deny web browsing traffic on destination port 8014.</P><P>&nbsp;</P><P>There are two possible resolutions:</P><P>1- Allow any service in the Security Policy.</P><P>2- Allow web browsing traffic on destination port 8014.</P><P>&nbsp;</P><P>for more details kindly find below URL:</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Symantec-Endpoint-Protection-Manager-SEPM-Uses-Web-Browsing/ta-p/53224" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Symantec-Endpoint-Protection-Manager-SEPM-Uses-Web-Browsing/ta-p/53224</A></P> Thu, 02 Nov 2017 19:29:34 GMT Feldiasti 2017-11-02T19:29:34Z https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/184984#M56660 <P>Is there any experience with 'symantec-endpoint-manager' over tcp/8014 being mis-identified as web-browsing?</P><P>&nbsp;</P><P>We have a 5260 firewall in a datacenter environment, with hosts that need to access a Symantec-Endpoint-Server for AV updates.&nbsp; Clients access the server on port tcp/8014.&nbsp; Tha pport is associated with app-id 'symantec-endpoint-manager'&nbsp;per the&nbsp;app-id with SSL and web-browsing dependencies.&nbsp; A policy rule was created for the client to server communication with the three app-id's using the 'application default' ports.</P><P>&nbsp;</P><P>When the clients attempt to access the server, they are blocked by the inter-zone rule, with tcp/8014 identified as 'web browsing'.&nbsp; At this point an application override has been created allowing tcp/8014, ideally we'd like to use the built-in rule to permit the traffic through.</P><P>&nbsp;</P><P>Any input that can be provided by the community would be appreciated.</P> Wed, 01 Nov 2017 19:31:32 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/184984#M56660 chrislss 2017-11-01T19:31:32Z https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185086#M56670 <P>Hi <SPAN class="UserName lia-user-name lia-user-rank-L0-Member"><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71080" target="_self"><SPAN class="">chrislss,</SPAN></A></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L0-Member"><SPAN class="">which version of PAN-OS you'r using in PA 5260 firewall&nbsp; ?</SPAN></SPAN></P> Thu, 02 Nov 2017 08:29:49 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185086#M56670 Feldiasti 2017-11-02T08:29:49Z https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185226#M56692 <P>The latest release, 8.0.5, is being used.&nbsp; App/Threat update release is 745-4296 (10/24/17).</P> Thu, 02 Nov 2017 18:57:14 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185226#M56692 chrislss 2017-11-02T18:57:14Z https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185230#M56694 <P>If there is an application default configured as a service on the Security Policy that allows symantec-endpoint-manager traffic, the Palo Alto firewall will deny web browsing traffic on destination port 8014.</P><P>&nbsp;</P><P>There are two possible resolutions:</P><P>1- Allow any service in the Security Policy.</P><P>2- Allow web browsing traffic on destination port 8014.</P><P>&nbsp;</P><P>for more details kindly find below URL:</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Symantec-Endpoint-Protection-Manager-SEPM-Uses-Web-Browsing/ta-p/53224" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Symantec-Endpoint-Protection-Manager-SEPM-Uses-Web-Browsing/ta-p/53224</A></P> Thu, 02 Nov 2017 19:29:34 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185230#M56694 Feldiasti 2017-11-02T19:29:34Z https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185234#M56697 <P>Thank you!&nbsp; I have to say i don't like the solution, but that definitely explains the issue.&nbsp; Appreciate the reference.</P><P>&nbsp;</P><P>Chris</P> Thu, 02 Nov 2017 19:49:32 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-mismatch-for-symantec-endpoint-manager/m-p/185234#M56697 chrislss 2017-11-02T19:49:32Z