Issue
There is a Policy-Based Forwarding (PBF) rule configured to forward the "SSL" and "web-browsing" applications to a specific destination. The PBF rule is allowing some port 80 traffic to go out via the default route.
Cause
PBF does not work best with applications as match criteria as PBF policy evaluation happens during the initial packets of the traffic. At this stage the application is still unknown. It is advisable to use service as a match criteria if standard ports are used by application or the ports used are known.
The way PAN-OS adds application selection to PBF is to perform “app ID caching.” With APP-ID caching, a PBF rule can reference an application. The first time that application passes through the firewall, the firewall is not aware of what the application is initially and the PBF rule is not applied. However, as more packets arrive, PAN-OS is able to determine the application and it creates an entry in the app ID cache. The next time a new session is created with the same IP source and destination and destination port, PAN-OS assumes it is the same application as the initial session (based on the app ID cache) and will then apply the PBF rule.
Please read the following document for caveats in this technique: Policy Based Forwarding
Moreover, many web-based applications run over port 80 or SSL. The Palo Alto Networks device will identify them as specific applications and may not classify them as "Web-browsing" or "SSL." In this case, the PBF policy defined will not be used.
Resolution
- Create a PBF policy for application any, then set the services to http and https. This will cover all apps that run over port 80 and 443.
- Create another PBF for the application SSL and Web-Browsing and set the service to any. This will cover all other sites that run SSL or Web Browsing over the non standard port.
owner: jteetsel