https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361781#M88223 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138646">@BSwientoniowski</a>,</P> <P>Whenever you have a rule allowing application-default the firewall is going to allow enough traffic to identify the application. So the rule that this traffic is hitting is, if I would have to make an educated guess, the first entry in your security rulebase from trust to untrust that is based off of app-id.&nbsp;</P> Tue, 10 Nov 2020 02:34:53 GMT BPry 2020-11-10T02:34:53Z https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361684#M88215 <P>I've got a rule that allows the following applications from&nbsp;any source in our trusted zone out to any destination in the untrust zone.</P><UL><LI>appdynamics</LI><LI>dns-over-https</LI><LI>dns-over-tls</LI><LI>github</LI><LI>ms-delve</LI><LI>net.tcp</LI><LI>ntp</LI><LI>ocsp</LI><LI>okta</LI><LI>paloalto-updates</LI><LI>paloalto-wildfire-cloud</LI><LI>pan-db-cloud</LI><LI>rtcp</LI><LI>service-now</LI><LI>skype</LI><LI>ssh</LI><LI>windows-azure</LI><LI>windows-push-notifications</LI></UL><P>The rule is set for application-default.</P><P>&nbsp;</P><P>We have some legitimate traffic on our network that goes from trust to untrust with the destination port of tcp/37.</P><P>&nbsp;</P><P>For some reason, this traffic is matching up to this rule.&nbsp; None of the applications in the rule list tcp/37 as a default port.&nbsp; Only two of those applications (skype and net.tcp) have dynamic default ports.</P><P>When the tcp/37 traffic hits this rule, the application always shows up as "insufficient-data"</P><P>&nbsp;</P><P>I know what the traffic is - it is supposed to be the old "TIME" protocol.&nbsp; I've actually created a rule specific for this further down the list.</P><P>&nbsp;</P><P>Any idea why the traffic would match up to this rule?</P> Mon, 09 Nov 2020 19:39:31 GMT https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361684#M88215 BSwientoniowski 2020-11-09T19:39:31Z https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361781#M88223 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138646">@BSwientoniowski</a>,</P> <P>Whenever you have a rule allowing application-default the firewall is going to allow enough traffic to identify the application. So the rule that this traffic is hitting is, if I would have to make an educated guess, the first entry in your security rulebase from trust to untrust that is based off of app-id.&nbsp;</P> Tue, 10 Nov 2020 02:34:53 GMT https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361781#M88223 BPry 2020-11-10T02:34:53Z https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361909#M88237 <P>Thanks for the response.&nbsp; The rule that the traffic is hitting is actually the 4th rule in the list going from trust to untrust that is based off of app-id.</P> Tue, 10 Nov 2020 12:29:26 GMT https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/361909#M88237 BSwientoniowski 2020-11-10T12:29:26Z https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/362899#M88309 <P>Hello,</P> <P>Also as a suggestion, please use URL filtering as well as DNS sinkholes. Will make your security posture that much better.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 12 Nov 2020 23:14:37 GMT https://live.paloaltonetworks.com/t5/general-topics/odd-traffic-going-out-through-an-application-specific-security/m-p/362899#M88309 OtakarKlier 2020-11-12T23:14:37Z