topic Mixing App-ID and Service in General Topics

Mixing App-ID and Service

RobinClayton — Fri, 16 Feb 2018 14:55:16 GMT

Am I correct in assuming that if you use App-ID you can't also use TCP sercice ports to allow aditiona other services on the same rule.

Thanks

Rob

Re: Mixing App-ID and Service

BPry — Fri, 16 Feb 2018 15:04:29 GMT

@RobinClayton,

Actually that works perfectly fine as long as the app-id is actually coming across on that service port; I have to do it quite often for SQL enviroments actually. You would simply set the app-id to whatever is desired, say ( mssql-db mssql-mon ) and then set the service to whatever you are using in your enviroment; just keep in mind that this will only work if the firewall is identifying that traffic as that application.

You could also create a custom app-id to match this traffic, or an application-override policy. This would allow you to maintain 'application-default' as the service depending on how much that matters to you.

Re: Mixing App-ID and Service

RobinClayton — Fri, 16 Feb 2018 15:08:29 GMT

I am aware you can override the port the app usualy uses.

But what if I have say two items one with an application and one without.

"SMTP (Application 25) - "

"Other (No Application) - Service TCP46"

My findings are that it breaks.

Re: Mixing App-ID and Service

BPry — Fri, 16 Feb 2018 15:18:24 GMT

@RobinClayton,

If you use app-id within the security policy and add a service that does not display that app-id it will break, as the traffic does not match the criteria of the rule. It doesn't really 'break', it's that the traffic doesn't actually match what is supplied by the security policy. If you are trying to pass traffic that doesn't map to an app-id (unknown-tcp or incomplete) you'll need to make a policy specifically for that traffic. Alternatively you could make a strict security policy that specifies an app-id of 'any' and then specify the service that needs to be allowed.

Re: Mixing App-ID and Service

RobinClayton — Fri, 16 Feb 2018 15:40:27 GMT

Thanks, Confirms my findings.

Re: Mixing App-ID and Service

OtakarKlier — Fri, 16 Feb 2018 16:14:51 GMT

Hello @RobinClayton,

I too have run across these issues, what I end up doing is creating two rules. One that matches the app-id and one with no app-id and just a service port.

Cheers!