I have defined a rule that allow pings (using the "ping" application). However there are a lots of other applications that flows through this rule, even "web-browsing" !!!
How is this possible ?
Solved! Go to Solution.
You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.
If you want to block everything except ping , you may keep an explicit deny rule at the bottom.
Looking at your traffic log and the rule I would advise you to open a case with support. This merits closer examination.
Can you change the service to use application default and appliction to ping and try to see what results you get.
You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.
Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?
(1) 10.120.134.28 that uses application SiteScope Jmx collection
(2) 10.120.120.56 that uses application ping
(3) 220.127.116.11/141 that uses web-browsing
Indeed, when setting service to "application-default" it's much better. No more heterogenous traffic. The only other traffic I get is "incomplete".
Thanks for your help.
However I don't really understand why application signature was not sufficient in this case...
Are my eyes playing with me or isnt the second to last rule basically an "any any allow" (which would explain why traffic is let through) looking at the picture provided by ldormond Nov 11, 2011 10:45 AM ?
What if you 1) ping 2) do some web-browsing (or whatever) from a srcip which belongs to grp-cisco-css towards a dstip which belongs to grp-addi-web?
Will the traffic log then (for the 2nd case above) display "Keep_Alive_CSS" as rulehit or "ALLOW ANY FROM XDMZ" (or whatever the rules are named in your case)?
Im thinking that the compiler incorrectly merged (by optimization) the "any any allow" rule with the first occurance where this srcip/dstip combo exists (like some inverse shadow rule) so the wrong rulehit is displayed (I mean security wise its correct beause you do have a "any any accept" (which in most cases is bad) but the incorrect rule is being blamed for why traffic was let through)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!