This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

any to application default

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

any to application default

jdprovine
L4 Transporter

‎03-29-2016 12:06 PM

We are working on hardening our firewall rules by replacing any to application default(service) and from any to the specific application(application). Example - we changed any to web-application and any to application-default. People hitting the same rule had different results some it didn't work and they weren't able to get to the web page and some could. Didn't matter what browser

0 Likes Likes
11 REPLIES 11

Brandon_Wertz
L6 Presenter

‎03-29-2016 12:21 PM

Application "web-browsing" includes only tcp/80.  Are you seeing denies of those users where it didn't work on ports other than the standard port or are you seeing denies for users to web-browsing over port 80?

 

Were the users that are being denied going to the same URL?

0 Likes Likes

jdprovine
L4 Transporter
In response to Brandon_Wertz

‎03-29-2016 01:15 PM

Yes going to the same url

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to jdprovine

‎03-29-2016 01:17 PM

What does the block log say?  Is it going to the same port?  Is the user apart of the same security groups that the other user(s) are that are working?

 

Maybe they're not hitting the same rule because of group association?

0 Likes Likes

rmonvon
L6 Presenter
In response to jdprovine

‎03-29-2016 07:15 PM

Hi...Please check the traffic & url logs to see what app(s) are being denied.  It is possible that the user is visiting a web page and some of the contents are detected as flash, http-audio, etc.  We need to verify that policies are allowing these apps.  

0 Likes Likes

jdprovine
L4 Transporter
In response to rmonvon

‎03-30-2016 05:57 AM

as I said previously we are all testing with the same url and getting different results on the same browser

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to jdprovine

‎03-30-2016 06:08 AM - edited ‎03-30-2016 06:10 AM

lol...look dude.  We aren't TAC.

 

If you don't wanna share policy/config stuff for OPSEC / Confidentialy reasons fine.  But you've really provided no substantive information with which any of us can make any sort of definitive statements of support.

 

to say..."As I said previously" is tant amount of "look moron...I just said above..."

 

Again, we're just trying to be help.  If you aren't getting what you need here, feel free to open a TAC case.

jdprovine
L4 Transporter
In response to Brandon_Wertz

‎03-30-2016 06:20 AM

I already opened a TAC case

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎04-01-2016 01:07 PM

if you compare logs between the successful and unsuccessful sessions, are all users hitting the same policy?
is there a generic drop rule set to logging so you can verify if some sessions may not be hitting a policy (the default implied drop-all policy at the end of your rule base does not log, so you may be discarding sessions and not know about it)

if the policy goes "trust - untrust- web-browsing - app-default" the only reason sessions would get blocked using the web server is running (sometimes?) on a non-standard port or the application is identified as something other than web-browsing (might be Facebook or something else for example which would cause the block)


hope this helps
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

mivaldi
L7 Applicator

‎04-01-2016 06:03 PM

Some sites are listed in the HSTS list, which means that even if you're trying to browse to the HTTP site, your browser will force it to go to the HTTPS version, which requires ssl application to be added to the policy.

 

Not all browsers will process HSTS, so different browsers may yield different results. Those that don't push you to HTTPS will work, and you'll fail as long as you don't add application ssl to the list.

0 Likes Likes

jdprovine
L4 Transporter
In response to reaper

‎04-04-2016 11:13 AM

Very interesting thought reaper, it does seem that there is something that is not being identified as the standard port for the site. But its more interesting that two different users can go to the same link on the same browser, one is allowed and one is not. The only other thing I can think of to try is two have the failing user log on to the workings uses laptop and see if he can get to it from there

0 Likes Likes

jdprovine
L4 Transporter
In response to mivaldi

‎04-04-2016 11:15 AM

So you are saying that even thought they are using the same browser and the same thinkg there could still be a slight difference between the browsers enough to have it not recognized by the PA as that port/app. That's going to make it hard to harden some of the firewall settings

0 Likes Likes
  • 3356 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks