topic application any and service application default in policy in General Topics

application any and service application default in policy

ChrisBrun — Fri, 26 Apr 2019 17:02:20 GMT

I have a Internet policy that permits application "any" with service "application-default". I just discovered that we can no longer use Ookla Speedtest since turning on the "application-default" service.

Has anyone else experienced this and could you share how you resolved it?

Thanks.

Re: application any and service application default in policy

Remo — Fri, 26 Apr 2019 20:47:35 GMT

As far as I know this speedtest uses TLS connections on port 8080. As the default port for the App ssl is 443 the firewall no longer allows these ssl connections from speedtest on port 8080.

To solve this issue you would have to create a new security policy that allows ssl on port 8080 and depending on your needs restrict it to specific IPs of servers that are used for the speedtest.

Re: application any and service application default in policy

BPry — Sat, 27 Apr 2019 04:30:55 GMT

@ChrisBrun,

Aside from what @Remo already mentioned; I'm assuming that you aren't doing outbound SSL-Decryption? If you were utilizing decryption a lot of additional app-ids will be identified properly and you can utilize your above policy for the majority of things. For example, what you mention would have fallen under the 'speedtest' app-id and been allowed, as long as decryption was enabled.

If you aren't utilizing SSL-Decryption on your outbound traffic app-id is only able to trigger off of what it can actually see in the traffic flow, making it essentially "best effort" identification.