App-IDs for SSL-Secured Versions of Well-Known Services

Printer Friendly Page

Details

Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall.

There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below:

  1. Use StartTLS which is supported by all these protocols. See http://en.wikipedia.org/wiki/STARTTLS. In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port.
  2. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.
  3. Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic
  4. Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc.

See Also

How to Implement SSL Decryption

owner: savasarala

Tags (8)
Comments

Hi,

 

I created a firewall rule by following method 2.

 

2. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.

 

However, users are still unable to connect to servers like Yahoo, Gmail, iCloud, etc.

Blow is the firewall rule showing allowed application 'ssl' and port objects:

 

fwRule.JPG

 

Following logs were displayed when user tried to connect Gmail and Yahoo Secure imap servers:

 

fwLogs.JPG

 

Can anyone please suggest a solution for this?

You also need to add AppIDs yahoo-mail and gmail-base to the firewall rule.

Thanks for your response. You are right about adding AppIDs but what about someone tries to connect a mail server that does not have AppID e.g. POP3S connection to ISP mail server? The requirement is to allow Secure IMAP (993) and POP3S (995) connections to any external mail server.

Thanks.

 Any other connection without a specific AppID should fallback to the pop3 and imap AppIDs.

pop3s/imaps is basically an SSL connection with pop3/imap inside, so you would need to allow ssl on port 995/993 with ssl decryption, at which point pop3/imap can be identified

 

without ssl decryption, the session will look identical to any other ssl session, with the exception of the destination port, which is not enough to assign it the pop3/imap appid