Implicit Applications with cotp/ms-rdp in security policies

Reply
L0 Member

Implicit Applications with cotp/ms-rdp in security policies

Hello everyone,

 

Been testing some PA firewall functionality and noticed that ms-rdp has the implicit use of "cotp" defined, but the cotp application matches to a rule further down the policy list. When I review the logs, it looks like this

 

PAFWRDPCOTP.PNG

Am I misunderstanding having cotp as implicitly allowed by the ms-rdp application? Not sure why ms-rdp is allowed as part of the Test-RDP rule but then cotp drops down to a policy further in the list.

 

I could add the cotp application to the Test-RDP rule, but shouldn't Test-RDP be where cotp is getting caught already?

 

Thanks!

Highlighted
L6 Presenter

Re: Implicit Applications with cotp/ms-rdp in security policies

Hi @MathewRD .

 

when the tcp handshake is initiated for any application the firewall will view all policies for an explicit allow. If none are available then it will check again for any implicit allows.

 

i found these links helpful.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLLICA4

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!