08-23-2019 07:11 AM
Hi All,
Were running 7.1.14.
Ive created a rule to allowed ms-rdp to the rule. Ive checked first if ms-rdp has any dependencies, there is none. It implicitly uses cotp and t.120.
So from what i understand from the meaning of Implicitly uses, i only need to allow the main application which is ms-rdp and in turn it will allow implicitly cotp and t1.20. When we did our RDP testing the traffic got blocked with a policy-deny with an application of cotp. Ive added cotp to the rule and the connection worked on upon logging at session end its seeing it as ms-rdp.
So im not sure whether my understanding of the "Implicitly uses" is wrong or is there something else im missing out here.
08-23-2019 10:43 AM
So first off you should really consider upgrading your firewall; your current build is old and has a number of security vulnerabilities that you'd want patched. Second, your initial thought on Implicit is correct, you don't need to include cotp or t.120 to get this to work correctly.
As to why it's not getting identified correctly, my immediately jump to the following:
1) What's your content version? I recall ms-rdp being updated recently, so it may be that your signature has gotten too old and the firewall can no longer identify the traffic properly.
2) Are you utilizing default ports? If you utilize non-standard ports cotp is going to fall under application-default due to it utilizing dynamic ports, md-rdp is only going to get identified properly when operating on 3389.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
