topic Re: Default Application ID change in 8.0? in General Topics

Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 13:51:37 GMT

We are migrating from some 200's running 7.1.x code to 220's running 8.0.x code. We had a rule that was working fine, allowing any traffic from a server to another server. We didn't define any apps or tcp ports. We have that rule in the new firewall, but it is now being blocked as "unknown-tcp".

We added a rule allowing any traffic between the servers over the port they use. It still is blocking it as unknown-tcp.

Why did this work in 7.1 but not in 8.0? I've gone through the release notes and there is nothing about application ID changes that would effect this. Is an application override the only way to get this to work?

Re: Default Application ID change in 8.0?

Raido_Rattameister — Fri, 22 Feb 2019 16:01:25 GMT

Do you have "application-default" as Service?

Change it to "any" and test.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 16:23:05 GMT

Application and Service are both set to any. And it is the first rule, as this is a very important connection.

Re: Default Application ID change in 8.0?

Raido_Rattameister — Fri, 22 Feb 2019 16:28:08 GMT

Can you show screenshot of the rule and screenshot of Monitor > Logs > Traffic where this traffic is blocked?

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 16:40:40 GMT

The rule that is the deny rule is the last rule, catch all.

Re: Default Application ID change in 8.0?

Raido_Rattameister — Fri, 22 Feb 2019 18:05:51 GMT

Can you also share top rule that should permit this traffic.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 19:25:09 GMT

It's a pretty simple rule, and worked on 7.1:

Re: Default Application ID change in 8.0?

Raido_Rattameister — Fri, 22 Feb 2019 19:30:14 GMT

So it stopped working after upgrade?

Can you create new rule and instead of using address groups just add single ip to source and destination.

Those that you hid in your first screenshot.

To be sure that this source and destination are included in those groups.

Re: Default Application ID change in 8.0?

BPry — Fri, 22 Feb 2019 20:00:41 GMT

@DPoppleton

There is a setting where you can disallow any unknown-tcp or unknown-udp traffic; let me see if I can find it.

edit: I can't seem to find it with a quick glance but I'm fairly certain that was/is a thing. In the meantime you could utilize an application-override policy to classify the traffic as another application, or a custom application, and it should match your existing rule.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 20:02:37 GMT

We tried that already. A rule with just the server as the source, and the object it was trying to go to as the destination, any application with a service of tcp/50000. Still fell through to the deny rule at the end as unknown-tcp.

Re: Default Application ID change in 8.0?

BPry — Fri, 22 Feb 2019 20:06:50 GMT

@DPoppleton ,

That would lead me to possibly start looking at the address objects that were passed in and seeing if they somehow are the problem. Try testing with a policy that actually specifies the IP of one of the servers and see if you see the same behavior.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 20:15:18 GMT

@BPry the destination is a FQDN. I verified that the name resolved in the firewall by using "request system fqdn show" but I was wondering as well if there is failure with that somewhere.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 21:12:36 GMT

We have another test window on Monday... I'll let you know how it goes.

Re: Default Application ID change in 8.0?

BPry — Fri, 22 Feb 2019 21:24:00 GMT

@DPoppleton,

Actually FQDN might explain things. What version did you actually upgrade this to? Throughout 8.0 there are a number of times where FQDN objects didn't work as expected.

Re: Default Application ID change in 8.0?

DPoppleton — Fri, 22 Feb 2019 21:37:37 GMT

It's 8.0.15. I was kind of hoping all the bugs would have been found by now.

Re: Default Application ID change in 8.0?

DPoppleton — Mon, 25 Feb 2019 17:03:20 GMT

We changed the target from an FQDN to an IP address and it is working. So it looks like another bug with FQDN. We're not going to celebrate yet as we will give it a few days to ensure it stays working, but it is looking good.