Application Groups "service" in security policy

Reply
Highlighted
Not applicable

Application Groups "service" in security policy

I have the following scenario I came across and just curious if this is expected behavior. It is recommended when "whitelisting" and application to use the application-default service (so it only works on its default port), or if you are "blacklisting" to use the service "any" (to block the app on any port used). I'm not so sure this works using groups though? Here is an example:

Rule 1 - Allowed Exception During Lunch - YouTube - application-default - ALLOW

Rule 2 - Whitelist - Application Group which includes SSL etc... - application-default - ALLOW

Rule 3 - Blacklist - Application Group to Deny which includes SSL as part of a filter - any  - DENY<--use ANY service for deny rules

When I try to commit it gives me a warning that YouTube has a dependency of SSL, which is denied by the Blacklist rule. This doesn't make sense as SSL is allowed in rule 2 so therefore in my mind it "should" work. What am I missing? and when using application groups do you have to leave the service as "any" or can you use the application-default just fine and if you have a list of 5 applications, each one of those will only work on its respective default port.

L2 Linker

Re: Application Groups "service" in security policy

I recall that this issue is caused by the commit validation not expanding the search beyond the original rule. However this an error with the validation message, it will not affect the actual traffic. When a session is initiated it will first match the SSL application in Rule 2 and when APP-ID shifts to you-tube the traffic will then match Rule 1.

Regards,

Narong

kbe
L2 Linker

Re: Application Groups "service" in security policy

Thats right.

The warning is normal and can be ignored. There are many applications that also bring up this warning if you use a cleanup-rule as last rule.

In your scenario it shpuld work as expected like Narong explained.

You can use application default when working with application groups. Each application will then only work on its default port(s) that are defined in the application-default.

But why are you using a blacklist? If you define apps that are allowed, all other apps should be denied by default. You do not need a special deny rule. Only allowed traffic should flow.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!