unauthorized application goes to specific rule

Reply
L3 Networker

unauthorized application goes to specific rule

Hello,

I have defined a rule that allow pings (using the "ping" application). However there are a lots of other applications that flows through this rule, even "web-browsing" !!!

How is this possible ?

Regards,

Laurent

L4 Transporter

Re: unauthorized application goes to specific rule

Hi Laurent,

You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.

If you want to block everything except ping , you may keep an explicit deny rule at the bottom.

Thanks

Parth

L3 Networker

Re: unauthorized application goes to specific rule

Hello,

Thanks for your help.

I want to know why I have other applications that are matched by my ping rule. See printscreen attached.

Regards,

Laurent

L6 Presenter

Re: unauthorized application goes to specific rule

Looking at your traffic log and the rule I would advise you to open a case with support. This merits closer examination.

Thank you,

Benjamin

L4 Transporter

Re: unauthorized application goes to specific rule

Hi Laurent,

Can you change the service to use application default and appliction to ping and try to see what results you get.

You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.

Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?

Logs show

(1) 10.120.134.28 that uses application SiteScope Jmx collection

(2)  10.120.120.56 that uses application ping

(3) 145.232.250.140/141  that uses web-browsing

Thanks

Parth

L3 Networker

Re: unauthorized application goes to specific rule

Hi Parth,

Indeed, when setting service to "application-default" it's much better. No more heterogenous traffic. The only other traffic I get is "incomplete".

Thanks for your help.

However I don't really understand why application signature was not sufficient in this case...

Regards,,

Laurent

L0 Member

Re: unauthorized application goes to specific rule

Hi,

Do you have any news on that topic.

We experienced the same issue here in 4.1.6 version.

regards,

Joseph

L6 Presenter

Re: unauthorized application goes to specific rule

Are my eyes playing with me or isnt the second to last rule basically an "any any allow" (which would explain why traffic is let through) looking at the picture provided by  ?

L0 Member

Re: unauthorized application goes to specific rule

Yes but the rule which is matched in the log is the ping one

L6 Presenter

Re: unauthorized application goes to specific rule

Ahh :-)

What if you 1) ping 2) do some web-browsing (or whatever) from a srcip which belongs to grp-cisco-css towards a dstip which belongs to grp-addi-web?

Will the traffic log then (for the 2nd case above) display "Keep_Alive_CSS" as rulehit or "ALLOW ANY FROM XDMZ" (or whatever the rules are named in your case)?

Im thinking that the compiler incorrectly merged (by optimization) the "any any allow" rule with the first occurance where this srcip/dstip combo exists (like some inverse shadow rule) so the wrong rulehit is displayed (I mean security wise its correct beause you do have a "any any accept" (which in most cases is bad) but the incorrect rule is being blamed for why traffic was let through)?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!