I am attempting to implement best practice internet gateway in the 7.1 admin guide. One on the steps toward the end is creating Temporary tuning rules to see what applications are communicating over non-standard ports. I have rule above the tuning rules allowing for web-browsing and ssl over "application-default" I was surprised on the amount of traffic that was hitting these Temp rules. Having trouble understading logic. Why would browsing to applipedia.paloaltonetworks.com show as application "web-browsing" to port 443?
We do have outbound SSL decryption on. See log attached.
Thanks for you time
There is a rule below all of my user rules that specifies access for certain people with just the service being defined as http/https. I will say that I did look through my logs yesterday and 99% of our web-browsing is all just the ssl,web-browsing rule. Only the technology service bureau here actually has access to anything that doens't fall under the ssl,web-browsing rule and it has never been an issue. However, we also don't decreypt any of the traffic for this facility so most applicaitons never get identified.
I want simpler approach to policy mgmt. I am experimenting with just have one rule that allows all risk 1-4 apps. Above that I block all risk 5 apps. Then above that just have individual allow/block rules for stuff that needs "special" consideration ie smtp for allowed senders/svrs, dns to specific safe dns, blocking risk 1-4 apps that we have no use for etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!