I am trying test app id & put a rule in (all the way on top) denying my work station from accessing RDP on machines in other zones. I have successfully blocked users from accessing RDP on standard port 3389 but can still access RDP on a machine that listens for RDP on a non standard port (tcp 51000). I did not specify the non standard port in the security policy like I did port 3389 but I did use app ID in the rule for "ms-rdp" and "t.120" and expected the app ID feature to catch the connection and deny it. What am I missing & why wont the PA deny the RDP connection using app ID on the non standard tcp port?
your rule is set explicitly for port 3389. it doesn't matter what you have in any other of the boxes as it has to match 3389.
can you monitor the allowed traffic on port 51000, is it recognised as ms-rdp.
if not then you will have to rethink your policy but as it stands it can be either ms-rdp or t.120 but must be 3389 to be denied.
You have to change Service field to "Any" to block ms-rdp on any port.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!