application any not actually "any"

Showing results for 
Show  only  | Search instead for 
Did you mean: 

application any not actually "any"

L1 Bithead


I have a simple virtual wire installation here, just testing policies.  I have a policy that is:

source: inside
destination: outside
application: any
service: application default


I attempted to connect to gmail through Outlook with IMAP and was being blocked.  Logs showed application of "insufficient-data" and "incomplete" with session end reason "tcp-rst-from-server".


I then created another near-identical policy with the only difference being application is "gmail-base".  I placed it above the original (see screenshot)


With this new policy added I am able to connect to gmail through Outlook with IMAP. The policies are otherwise identical. I'm now seeing application "gmail-base" and "yahoo-mail-base" in the traffic logs. If I disable the gmail-base policy I can no longer connect to any IMAP server over port 993.

I can connect to both and with the openssl client: openssl.exe s_client -connect with the policy enabled.


I then made a URL Category object containing and and added it to the service/category page on the policy that had gmail-base but was still able to connect to with the openssl client.


So, I guess I have two questions:


Why does application:any not allow IMAP but application:gmail-base does allow it?
Shouldn't the URL Category object containing only gmail domains prevent me from connecting to


2021-06-29 11_24_11-fw1.png


edited to add that this is a PA-220 running 8.1.13


I'm on the latest AV and threat definitions, I believe:

AV: 3762-4273
Threat: 8422-6787


The URL filtering is just a curiosity - I really don't care if anyone uses imap to read yahoo mail, I was just surprised to see it pop up after enabling the gmail application.

Hey @vsys_remo ,

I know FW will use the cert CN as URL if traffic is encrypted, but I got the impression this is only valid for web-based traffic.


So far I did not use it (in production) to restrict anything else than webtraffic (only in lab environments, but I can confirm it works generally and I also have logs in the url log from smtps, imaps and ftps connections.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!