App-ID Windows-Remote-Managment showing as Web-Browsing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

App-ID Windows-Remote-Managment showing as Web-Browsing

L4 Transporter

We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Managment traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?

2 accepted solutions

Accepted Solutions

L4 Transporter

Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.

View solution in original post

We are facing the same issues with 10.1.6. We are using windows-remote-management and application-default. Were you able to find any resolution?

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

I am not aware of this issue.  Maybe a reboot or a delete and reinstall of the dynamic update again. I am not aware of any documented modifications to the AppID signature.  Additional tshooting is needed.

Help the community: Like helpful comments and mark solutions

L0 Member

Hello,

 

Same issue here with the 10.1.5-h2 update.

L4 Transporter

I have opened a TAC case on this issue and will update the thread if/when I hear back.
As a work around I added "web-browsing" to the policy but kept the specified service port tcp/5985 and 5986. This resolved the issue AND the traffic started passing/identifying as "Windows-Remote-Management". Web-browsing is an IMPLIED application for Windows-Remote-Management but this behavior looks to be that relationship has changed and now is DEPENDENT on Web-browsing. I did not find any app-updates that would have caused/mentioned this and panorama/applipidea doesn't flag web-browsing as dependent for Windows-Remote-Management.

L4 Transporter

Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.

Thank you for the update!

L1 Bithead

I'm using 10.1.6 recently upgraded the software, we are using this application windows-remote-management with service as application default but still it is not working traffic is getting identified as web-browsing on port tcp-5985 and it is getting deny.

for temporary we added another rule and allowed web-browsing on this port , but we don't want to create any other rule because there is more than 100 rules with this application  

We are facing the same issues with 10.1.6. We are using windows-remote-management and application-default. Were you able to find any resolution?

  • 2 accepted solutions
  • 4232 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!