I have a Internet policy that permits application "any" with service "application-default". I just discovered that we can no longer use Ookla Speedtest since turning on the "application-default" service.
Has anyone else experienced this and could you share how you resolved it?
Solved! Go to Solution.
As far as I know this speedtest uses TLS connections on port 8080. As the default port for the App ssl is 443 the firewall no longer allows these ssl connections from speedtest on port 8080.
To solve this issue you would have to create a new security policy that allows ssl on port 8080 and depending on your needs restrict it to specific IPs of servers that are used for the speedtest.
Aside from what @vsys_remo already mentioned; I'm assuming that you aren't doing outbound SSL-Decryption? If you were utilizing decryption a lot of additional app-ids will be identified properly and you can utilize your above policy for the majority of things. For example, what you mention would have fallen under the 'speedtest' app-id and been allowed, as long as decryption was enabled.
If you aren't utilizing SSL-Decryption on your outbound traffic app-id is only able to trigger off of what it can actually see in the traffic flow, making it essentially "best effort" identification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!