https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187137#M56990 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46571">@PaulBrock</a></P> <P>&nbsp;</P> <P>Are you seeing the vpn/proxybypass be identified as NTP in the traffic logs, or are you seeing the vpn/pbp hit your NTP policy and be allowed by it?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>in case of the latter, <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>'s solution will solve your issue. In case of the former you'll want to collect as much information as possible (pcaps, paket-diag log feature flow basic + appid basic) and open a support case</P> Wed, 15 Nov 2017 08:57:30 GMT reaper 2017-11-15T08:57:30Z https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187022#M56976 <P>Hi i have a problem at the moment where it appears there is a proxy/Vpn application that is using port 123 .</P><P>as i have lots of byod devices&nbsp;that require access to NTP i leave the port open.</P><P>&nbsp;</P><P>When I look at the monitor logs it source port can be anything from 123 to any other port and the dest port is 123 and P.A is letting me know the application is NTP , hence allowed</P><P>&nbsp;</P><P>I have ssl decryption turned on .</P><P>&nbsp;</P><P>i am slightly stuck on how i ca allow legitimate NTP traffic as opposed to vpn/proxy using port 123&nbsp; ?</P> Tue, 14 Nov 2017 22:50:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187022#M56976 PaulBrock 2017-11-14T22:50:55Z https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187044#M56978 <P>Hello,</P><P>At this point it would be the application inspection. In your logs, filter by port 123 and see which applications are using that port. Then rewrite the rule to allow only NTP 'application' and remove the port 'Service'.</P><P>So the policy would look similar to:</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 322px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12423iA17356B13CE937FF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>If there is an app using ssl over port 123, you might need an additional policy to allow ssl over port 123.</P><P>&nbsp;</P><P>I hope I understood your question correctly. Please let me know if I havent and i'll do my best to answer it correctly.</P><P>&nbsp;</P><P>Regards,</P> Tue, 14 Nov 2017 23:58:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187044#M56978 OtakarKlier 2017-11-14T23:58:21Z https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187137#M56990 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46571">@PaulBrock</a></P> <P>&nbsp;</P> <P>Are you seeing the vpn/proxybypass be identified as NTP in the traffic logs, or are you seeing the vpn/pbp hit your NTP policy and be allowed by it?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>in case of the latter, <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>'s solution will solve your issue. In case of the former you'll want to collect as much information as possible (pcaps, paket-diag log feature flow basic + appid basic) and open a support case</P> Wed, 15 Nov 2017 08:57:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ntp-and-proxy-bypass/m-p/187137#M56990 reaper 2017-11-15T08:57:30Z