App-ID Windows-Remote-Managment showing as Web-Browsing

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

App-ID Windows-Remote-Managment showing as Web-Browsing

L4 Transporter

We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Managment traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

I am not aware of this issue.  Maybe a reboot or a delete and reinstall of the dynamic update again. I am not aware of any documented modifications to the AppID signature.  Additional tshooting is needed.

Help the community: Like helpful comments and mark solutions

L0 Member

Hello,

 

Same issue here with the 10.1.5-h2 update.

L4 Transporter

I have opened a TAC case on this issue and will update the thread if/when I hear back.
As a work around I added "web-browsing" to the policy but kept the specified service port tcp/5985 and 5986. This resolved the issue AND the traffic started passing/identifying as "Windows-Remote-Management". Web-browsing is an IMPLIED application for Windows-Remote-Management but this behavior looks to be that relationship has changed and now is DEPENDENT on Web-browsing. I did not find any app-updates that would have caused/mentioned this and panorama/applipidea doesn't flag web-browsing as dependent for Windows-Remote-Management.

L4 Transporter

Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.

Thank you for the update!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!