https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8412#M6206 <HTML><HEAD></HEAD><BODY><P>I submitted this to applpedia just after your post. I never even received a confirmation that it had been received. Should I have?</P></BODY></HTML> Tue, 17 May 2011 20:26:09 GMT david_scott 2011-05-17T20:26:09Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8410#M6204 <HTML><HEAD></HEAD><BODY><P><SPAN>I work in a University, and recently our library began to use - or try to use - an app called "Able" from </SPAN><A class="jive-link-external-small" href="http://able.nationalbindery.com">http://able.nationalbindery.com</A></P><P></P><P>We're behind a PA 2050 running 3.1.5 firmware.</P><P></P><P>The site uses an embedded Java app to communicate with a remote server. From what I can tell, the client initiates a session to dst port 80, then the server responds and all future communication happens across remote tcp port 9000 (and whatever random port the client chooses).</P><P></P><P>I can't seem to create a policy that will allow this traffic. I've created a policy from "Trust" to "Untrust" allowing "Service" tcp 80 and tcp 9000.</P><P></P><P>I've also added a policy from "Untrust" to "Trust", allowing port 9000. Nothing.</P><P></P><P>Does anyone have any experiece with this app? I can provide a pcap if necessary.</P><P></P><P>Thank you,</P><P><BR />David Scott</P><P>Freed-Hardeman University</P></BODY></HTML> Wed, 11 May 2011 19:15:34 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8410#M6204 david_scott 2011-05-11T19:15:34Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8411#M6205 <HTML><HEAD></HEAD><BODY><P>@david.scott:</P><P></P><P>You can submit an application request via the Applipedia section of our support website:</P><P></P><P><A href="http://ww2.paloaltonetworks.com/applipedia/">http://ww2.paloaltonetworks.com/applipedia/</A><SPAN> </SPAN></P><P></P><P><SPAN>click the "tools" link and then the "submit an app" link</SPAN></P><P></P><P><SPAN>A packet capture from the client PC is always helpful when creating new application signatures.</SPAN></P><P></P><P>-Benjamin</P></BODY></HTML> Wed, 11 May 2011 19:19:24 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8411#M6205 bpappas 2011-05-11T19:19:24Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8412#M6206 <HTML><HEAD></HEAD><BODY><P>I submitted this to applpedia just after your post. I never even received a confirmation that it had been received. Should I have?</P></BODY></HTML> Tue, 17 May 2011 20:26:09 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8412#M6206 david_scott 2011-05-17T20:26:09Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8413#M6207 <HTML><HEAD></HEAD><BODY><P>Maybe the tcp 9000 traffic is actually client-server, but with your PC acting as server and their webserver acting as client.</P><P>If that's the case, you need some sort of "secondary connections" mechanism.</P><P>Or, if there would be only one PC the application is used from, a NAT port forwarding...</P></BODY></HTML> Wed, 18 May 2011 10:13:53 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-rule-for-national-bindery-library-app/m-p/8413#M6207 dieter_b 2011-05-18T10:13:53Z