05-18-2022 07:56 AM
We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Managment traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?
05-25-2022 05:37 AM
Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.
09-08-2022 08:43 AM
We are facing the same issues with 10.1.6. We are using windows-remote-management and application-default. Were you able to find any resolution?
05-19-2022 07:14 PM
I am not aware of this issue. Maybe a reboot or a delete and reinstall of the dynamic update again. I am not aware of any documented modifications to the AppID signature. Additional tshooting is needed.
05-24-2022 12:21 AM
Hello,
Same issue here with the 10.1.5-h2 update.
05-24-2022 08:59 AM
I have opened a TAC case on this issue and will update the thread if/when I hear back.
As a work around I added "web-browsing" to the policy but kept the specified service port tcp/5985 and 5986. This resolved the issue AND the traffic started passing/identifying as "Windows-Remote-Management". Web-browsing is an IMPLIED application for Windows-Remote-Management but this behavior looks to be that relationship has changed and now is DEPENDENT on Web-browsing. I did not find any app-updates that would have caused/mentioned this and panorama/applipidea doesn't flag web-browsing as dependent for Windows-Remote-Management.
05-25-2022 05:37 AM
Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.
06-03-2022 02:27 AM
Thank you for the update!
08-10-2022 10:03 AM
I'm using 10.1.6 recently upgraded the software, we are using this application windows-remote-management with service as application default but still it is not working traffic is getting identified as web-browsing on port tcp-5985 and it is getting deny.
for temporary we added another rule and allowed web-browsing on this port , but we don't want to create any other rule because there is more than 100 rules with this application
09-08-2022 08:43 AM
We are facing the same issues with 10.1.6. We are using windows-remote-management and application-default. Were you able to find any resolution?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
