For details on cookie usage on our site, read our Privacy Policy
App-ID Windows-Remote-Managment showing as Web-Browsing
- LIVEcommunity
- Discussions
- General Topics
- App-ID Windows-Remote-Managment showing as Web-Browsing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-18-2022 07:56 AM
We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Managment traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-25-2022 05:37 AM
Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-08-2022 08:43 AM
We are facing the same issues with 10.1.6. We are using windows-remote-management and application-default. Were you able to find any resolution?
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-19-2022 07:14 PM
I am not aware of this issue. Maybe a reboot or a delete and reinstall of the dynamic update again. I am not aware of any documented modifications to the AppID signature. Additional tshooting is needed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2022 12:21 AM
Hello,
Same issue here with the 10.1.5-h2 update.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2022 08:59 AM
I have opened a TAC case on this issue and will update the thread if/when I hear back.
As a work around I added "web-browsing" to the policy but kept the specified service port tcp/5985 and 5986. This resolved the issue AND the traffic started passing/identifying as "Windows-Remote-Management". Web-browsing is an IMPLIED application for Windows-Remote-Management but this behavior looks to be that relationship has changed and now is DEPENDENT on Web-browsing. I did not find any app-updates that would have caused/mentioned this and panorama/applipidea doesn't flag web-browsing as dependent for Windows-Remote-Management.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-25-2022 05:37 AM
Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.
- AIops is not showing any data in AIOps for NGFW Discussions
- Endpoints not showing on console in Cortex XDR Discussions
- Traffic hits on the ruler but does not show on the monitor in General Topics
- BPA Check Points in General Topics
- Not recognizing standard ports like smtp. Instead showing as Not-Applicable and blocking in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
