topic Firewall rules - strange suggesttion in General Topics

Firewall rules - strange suggesttion

Alex_Samad — Thu, 12 Jul 2018 23:45:43 GMT

I gave a rule that allows snmp-trap messages to my SNMPD server. for some reason PA complains that SNMP-TRAP needs SNMP-BASE.

Now if I add in SNMP-BASE this is going to open up port 161 where as trap uses 162.

So why do i need SNMP-BASE

Re: Firewall rules - strange suggesttion

Remo — Sun, 15 Jul 2018 07:55:45 GMT

@Alex_Samad wrote:
So why do i need SNMP-BASE

... because of rare cases where paloalto isn't able to identify the snmp-trap right away. (Even if I don't really know in what situation this could be possible as snmp-traps mostly are one-packet connections. There aren't a lot of possibilities other than identify the application in just this one packet)

Anyway, if it works just with snmp-trap, then one possibility is to ignore the commit-warning or what I also did in this case, allow also snmp-base and manually add service 162/udp instead of application default.

There is also a feature request out there for a feature to suppress these commit warnings ...

Re: Firewall rules - strange suggesttion

Alex_Samad — Sun, 15 Jul 2018 21:48:28 GMT

thanks, think I will live with the warning seems counter intuitive to add snmp and then limit to 161.

Do you have the feature request number ?

Re: Firewall rules - strange suggesttion

pulukas — Mon, 16 Jul 2018 10:08:07 GMT

think I will live with the warning seems counter intuitive to add snmp 
and then limit to 161.

Yes, it does take some getting used to. Remember that with PAN the point of basic policy is to FORGET about port and protocol just select the application you want. And PAN will detect that application EVEN IF it runs on different ports.

Thus if you know the app you are writting the rule for will always be on the standard port then you use this option to prevent that default behavior.

Re: Firewall rules - strange suggesttion

Alex_Samad — Mon, 16 Jul 2018 10:08:45 GMT

Seems counter intuitive to allow something I didn't want to allow just to stop a warning.

Currently the traps are getting through so .

Re: Firewall rules - strange suggesttion

OtakarKlier — Mon, 16 Jul 2018 15:27:31 GMT

Hello,

While you are opening another application, remmeber that it is just that, the application and not a port. Meaning that the firewall needs to identify the application and it wont just open that port for all traffic.

Hope that makes sense.

Regards,

Re: Firewall rules - strange suggesttion

BPry — Mon, 16 Jul 2018 18:03:26 GMT

@Alex_Samad,

The warning is more to do with how other applications function more so than this particular app-id. The only reason the warning is generated is because the app-id has 'snmp-base' as a dependent (ie: if you look at snmp-trap it states 'Depends on: snmp-base'.

While it can be argued that snmp-trap really doesn't require that snmp-base actually be allowed, and therefore snmp-trap really shouldn't have a dependency to snmp-base, it's more so that applications such as 'dropbox-downloading' depends on 'dropbox-base' and 'ssl' aren't effected and causes admins to leave out required applications.

This is one of the weird things where PA could likely add an option to 'Ignore Commit Warnings' or something similar to the app-id, or further properly identify that snmp-trap doesn't actually require snmp-base, but this simply hasn't been created yet.

I would do what @Remo mentioned and simply add the app-id and specify that the service can only be 162/udp. This clears up the commit warning and won't actually allow snmp-base traffic unless it happens to be identified on 162. Or just ignore it, you just run the risk of missing an important warning when that list starts to grow over time.