App-ID - ms-rdp not allowed, traffic being blocked as cotp

L1 Bithead

App-ID - ms-rdp not allowed, traffic being blocked as cotp

Hi All,

 

Were running 7.1.14. 

Ive created a rule to allowed ms-rdp to the rule. Ive checked first if ms-rdp has any dependencies, there is none. It implicitly uses cotp and t.120.

 

So from what i understand from the meaning of Implicitly uses, i only need to allow the main application which is ms-rdp and in turn it will allow implicitly cotp and t1.20. When we did our RDP testing the traffic got blocked with a policy-deny with an application of cotp. Ive added cotp to the rule and the connection worked on upon logging at session end its seeing it as ms-rdp.

 

So im not sure whether my understanding of the "Implicitly uses" is wrong or is there something else im missing out here.

L7 Applicator

Re: App-ID - ms-rdp not allowed, traffic being blocked as cotp

@Jonathan_Panes,

So first off you should really consider upgrading your firewall; your current build is old and has a number of security vulnerabilities that you'd want patched. Second, your initial thought on Implicit is correct, you don't need to include cotp or t.120 to get this to work correctly.

 

As to why it's not getting identified correctly, my immediately jump to the following:

1) What's your content version? I recall ms-rdp being updated recently, so it may be that your signature has gotten too old and the firewall can  no longer identify the traffic properly.

2) Are you utilizing default ports? If you utilize non-standard ports cotp is going to fall under application-default due to it utilizing dynamic ports, md-rdp is only going to get identified properly when operating on 3389. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!