After enabling decryption recently we started to have a few issues with applications being identified incorrectly.
A few common examples of this are sap, http-video and http-audio
These end up being blocked with "application default" for the service, this appears to be because in some instances sites use https anyway and once these apps are decrypted they show as going over port 443 rather than 80 which makes sense but is contrary to the app-id signatures default ports.
I know we can create rules for applications like this to allow them specifically but this is starting to become very time consuming to create a rule for every application that has this issue.
Is there a way to allow this traffic while still inspecting it with some sort of override? it feels a little like there should be a http-video (Decrypted) or https-video application.
I think it would be great to be able to create an application signature that overrides default settings, this would allow you to pick pre existing application signature and override the default ports for example. We can then add this overriden application to a pre-existing rule.
Is there another work around for this I have missed?
Perhaps are you running PAN-OS 7.1 and recetnly now performing SSL Interception as well?
From the PAN-OS 7.1 "Changes to Default Behavior"
When you configure a Security policy rule with the Application setting Any and the Service setting
application-default, all applications are now permitted only on their standard ports as defined in Palo Alto
Networks Applipedia. For example, if a Security policy rule allows any application traffic on the default
application ports, the firewall will allow web-browsing traffic only on port 80 and SSH traffic only on port
22. In earlier PAN-OS release versions, the Service setting application-default was interpreted as Any
when configured with the Application setting Any. You can replicate the behavior of earlier PAN-OS
releases by changing rules with the Application setting Any and the Service setting application-default to
include the Application setting Any and the Service setting Any.
This is not my experience.
We are currently running 7.0.10 in any case.
I will give an example.
Source: Trust Zone, Specified Addresses, and Trusted User --> Destination: Untrust Zone, Any Address, Application http-video (plus other apps), Application default | Allow, with security profile enable as well.
1. User browses to a news website www.stuff.co.nz and tries to view an article with a video embedded.
2. The video uses the application http-video (Applipedia says port 80 only) but the provider of the video uses https for the link to the video which puts it on port 443.
3. The Palo alto firewall decryptes the traffic and recognises the application as http-video but the port that it is using is 443.
4. The firewall then blocks the application because the port is not the application default as its expecting port 80.
Given I would prefer to decrypt this sort of traffic as otherwise it just shows as SSL rather than http-video, how would I fix this without creating new rules for each application I have this issue with?
Unless you have a specific reason to only allow http-video on port 80, just remove the "application-default" service. This is the transition between a traditional port-based firewall to the next generation firewall you have. Ports really don't matter much, it's the application that you're really trying to control.
Your rule seems to indicate that you do want http-video (plus other apps) to be allowed, and if you don't really care about the port, just set the service to any.
While setting the Service to 'any' is a solution. You also open the rule up to allow that application to use any port. While yes port based is becoming more legacy, a tighter security rule would be to use application-default or a specific port to restrict the passage of potentially unwanted traffic of a specific application.
In our case we had to write special rules to allow the decrypted applciations over port 443. This way we still restricted the application to specific ports and were able to scan the traffic since it was SSL decrypted.
@gwessonyou are correct we could just change the service to any but this is a security comprimise as we do have multiple application in this rule.
The reason we are using application default is we need to specify the ports to adhere to our security requirements.
@OtakarKlieryou are also correct as we currently have rules to allow these applications over port 443 but these rules are becoming cumbersome to manage.
Update also I am told these 2 feature requests might be the fix.
FR ID : 2636, this is to dynamically update the port information and allow the traffic.
FR ID : 3914, Ability to Clone an existing App-ID (not custom) and change name and ports.
Anyone else want to get their SE to put in a vote for these?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!