https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300449#M78502 <P>here is test from cli</P><P>&nbsp;</P><P>i am running pan os 8.1.9</P><P>&nbsp;</P><P>(active)&gt; test security-policy-match from CorpData_INT to Pay_Prod_DMZ application ms-rdp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389</P><P><BR />(active)&gt; test security-policy-match from CorpData_INT to Pay_Prod_DMZ application cotp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389</P><P><BR />(active)&gt;</P><P>&nbsp;</P><P>i see no output</P> Sun, 24 Nov 2019 19:37:42 GMT MP18 2019-11-24T19:37:42Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300252#M78465 <P>&nbsp;</P><P>We have security policy to allow any application on port 3389.</P><P>I see users are able to connect to server on port 3389.</P><P>&nbsp;</P><P>traffic log shows denied on application cotp.</P><P>my understanding is that if you have application as any it should cover all the applications.</P><P>why it is getting denied on app cotp for port 3389?</P><P>&nbsp;</P><P>&nbsp;</P><P>Running PAN os 8.1.9</P> Fri, 22 Nov 2019 14:08:39 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300252#M78465 MP18 2019-11-22T14:08:39Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300311#M78485 <P>In the Traffic log, add the Rule column, and see which Security Policy is matching the allowed traffic, and which Security Policy is matching the denied traffic.&nbsp; From the sounds of it, there's two separate policies in play here.</P> Fri, 22 Nov 2019 21:02:37 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300311#M78485 fjwcash 2019-11-22T21:02:37Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300442#M78496 <P>Check the traffic logs when ms-rdp is allowed on port 3389 it hits the right rule</P><P>when i see application cotp on port 3389&nbsp; i see hitting default default deny rule.</P><P>&nbsp;</P><P>strange behaviour as application in rule is any on port 3389</P> Sun, 24 Nov 2019 16:54:57 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300442#M78496 MP18 2019-11-24T16:54:57Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300445#M78498 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;</P><P>Add the protocol column to your logview. I am pretty sure that the denied connections are udp connections and you have added only 3389/tcp to your security rule, right?</P><P>RDP primary tries to establish a connection on udp because of performance reasons and if this is not possible there is a fallback to tcp which is the reason that your connections work (port 3389/tcp) but you still have deny logs on (port 3389/udp).</P> Sun, 24 Nov 2019 18:31:51 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300445#M78498 Remo 2019-11-24T18:31:51Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300447#M78500 <P>Yes i only have added port&nbsp; 3389-tcp on the security rule.</P><P>I can see deny on udp connection on port 3389.</P><P>&nbsp;</P><P>I also deny on application cotp on tcp port 3389 and it does not hit the rdp rule.</P><P>application cotp denied on port 3389 tcp does not make sense to me.</P><P>&nbsp;</P><P>Seem application ms-rdp uses&nbsp;Implicitly Uses:&nbsp;&nbsp;cotp, t.120??</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 24 Nov 2019 19:18:13 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300447#M78500 MP18 2019-11-24T19:18:13Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300448#M78501 <P>I agree that this does not make sense, as long as the source really hits your RDP rule. Another idea I do not have right now.</P><P>Did you do a security policy match test on the cli (or in WebUI if you already are on PAN-OS 9) with exactly the same connection details as the dropped connections? And does it then match your RDP rule?</P> Sun, 24 Nov 2019 19:21:53 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300448#M78501 Remo 2019-11-24T19:21:53Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300449#M78502 <P>here is test from cli</P><P>&nbsp;</P><P>i am running pan os 8.1.9</P><P>&nbsp;</P><P>(active)&gt; test security-policy-match from CorpData_INT to Pay_Prod_DMZ application ms-rdp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389</P><P><BR />(active)&gt; test security-policy-match from CorpData_INT to Pay_Prod_DMZ application cotp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389</P><P><BR />(active)&gt;</P><P>&nbsp;</P><P>i see no output</P> Sun, 24 Nov 2019 19:37:42 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/300449#M78502 MP18 2019-11-24T19:37:42Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/326561#M83195 <P>Did you end up resolving this ?</P><P>&nbsp;</P><P>PANOS 8.1.12 App content 8264-6059 installed.</P><P>&nbsp;</P><P>Was working last week.</P><P>Now I log into a client site and instead of ms-rdp , my traffic is blocked cotp as the app-id. Confirmed its TCP traffic.</P><P>&nbsp;</P><P>I prefer not to just add cotp to my security policy, since that doesn't really fix the problem just works around it and adds something I'm not condoning at this point.</P> Wed, 06 May 2020 23:34:25 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/326561#M83195 ChrisVee 2020-05-06T23:34:25Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/326569#M83196 <P>Resolved !</P><P>So it wasn't any content change, in the end or anything, it was due to someone removing my access to the destination via RDP in the past week with user-id restrictions on the destination.</P><P>&nbsp;</P><P>This resulted in the policy-deny to take place, but still, the odd thing is the App-id recognised ONLY in the deny messages is cotp.</P><P>&nbsp;</P><P>Once I corrected the group membership and my user-id was allowed in, the app-id was recognised as ms-rdp correctly.</P><P>&nbsp;</P><P>Hope this helps someone else. Maybe something to correct from a firewall traffic log standpoint, this would have streamlined troubleshooting if the traffic was blocked and the app-id read ms-rdp as expected.</P> Thu, 07 May 2020 00:18:58 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/326569#M83196 ChrisVee 2020-05-07T00:18:58Z https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/616370#M121949 <P>you rock!</P> Thu, 07 Nov 2024 19:44:31 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-has-application-any-and-port-3389-we-see-discard-for/m-p/616370#M121949 ms9221 2024-11-07T19:44:31Z