Rule has application any and port 3389 we see discard for application cotp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rule has application any and port 3389 we see discard for application cotp

Cyber Elite
Cyber Elite

 

We have security policy to allow any application on port 3389.

I see users are able to connect to server on port 3389.

 

traffic log shows denied on application cotp.

my understanding is that if you have application as any it should cover all the applications.

why it is getting denied on app cotp for port 3389?

 

 

Running PAN os 8.1.9

MP

Help the community: Like helpful comments and mark solutions.
8 REPLIES 8

L4 Transporter

In the Traffic log, add the Rule column, and see which Security Policy is matching the allowed traffic, and which Security Policy is matching the denied traffic.  From the sounds of it, there's two separate policies in play here.

Check the traffic logs when ms-rdp is allowed on port 3389 it hits the right rule

when i see application cotp on port 3389  i see hitting default default deny rule.

 

strange behaviour as application in rule is any on port 3389

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Hi @MP18 

Add the protocol column to your logview. I am pretty sure that the denied connections are udp connections and you have added only 3389/tcp to your security rule, right?

RDP primary tries to establish a connection on udp because of performance reasons and if this is not possible there is a fallback to tcp which is the reason that your connections work (port 3389/tcp) but you still have deny logs on (port 3389/udp).

Yes i only have added port  3389-tcp on the security rule.

I can see deny on udp connection on port 3389.

 

I also deny on application cotp on tcp port 3389 and it does not hit the rdp rule.

application cotp denied on port 3389 tcp does not make sense to me.

 

Seem application ms-rdp uses Implicitly Uses:  cotp, t.120??

 

 

 

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

I agree that this does not make sense, as long as the source really hits your RDP rule. Another idea I do not have right now.

Did you do a security policy match test on the cli (or in WebUI if you already are on PAN-OS 9) with exactly the same connection details as the dropped connections? And does it then match your RDP rule?

here is test from cli

 

i am running pan os 8.1.9

 

(active)> test security-policy-match from CorpData_INT to Pay_Prod_DMZ application ms-rdp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389


(active)> test security-policy-match from CorpData_INT to Pay_Prod_DMZ application cotp source 10.63.44.68 destination 10.29.33.34 protocol 6 destination-port 3389


(active)>

 

i see no output

MP

Help the community: Like helpful comments and mark solutions.

Did you end up resolving this ?

 

PANOS 8.1.12 App content 8264-6059 installed.

 

Was working last week.

Now I log into a client site and instead of ms-rdp , my traffic is blocked cotp as the app-id. Confirmed its TCP traffic.

 

I prefer not to just add cotp to my security policy, since that doesn't really fix the problem just works around it and adds something I'm not condoning at this point.

Resolved !

So it wasn't any content change, in the end or anything, it was due to someone removing my access to the destination via RDP in the past week with user-id restrictions on the destination.

 

This resulted in the policy-deny to take place, but still, the odd thing is the App-id recognised ONLY in the deny messages is cotp.

 

Once I corrected the group membership and my user-id was allowed in, the app-id was recognised as ms-rdp correctly.

 

Hope this helps someone else. Maybe something to correct from a firewall traffic log standpoint, this would have streamlined troubleshooting if the traffic was blocked and the app-id read ms-rdp as expected.

  • 9668 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!