I have just found the time to start learning about our new firewall. As a test I have tried creating a policy for blocking bittorrent traffic, but it seems to have only limited effect. Transmission still happily downloads the torrent although I can see from the logs in the firewall that at least some of the traffic is being denied.
Am I doing something wrong or is the application id simply not capable of correctly identifying all bittorrent traffic?
You should have gotten a dependency error when committing. I believe bittorrent also needs web-browsing and ssl.
I bet some of the traffic is being classified as different apps in the logs. I would build an application filter using:
That should cover all of the various bittorrent apps like ares, kazaa, and even generic-p2p apps. Plus, if Palo Alto ever adds another bittorrent app in their app/content releases, the app will automatically be added to your policy.
I tried your suggestion on building the application filter, but unfortunately the result is much the same. It still can't identify all the bittorrent traffic. I think the traffic that is missed is classified as 'unknown-tcp' and 'incomplete'.
I still don't get any dependancy errors when committing the filters. Should I?
Now we are getting somewhere. If you are seeing insufficient-data in the log, that means the firewall did not collect enough packets to determine what the application was. For unknown-tcp, you might want to take a packet capture and submit that to Palo Alto Support. Maybe they need to adjust the decoder for bittorrent traffic.
You may or may not get a dependancy error. I haven't created a bittorrent policy since PAN OS 3.0.
Another factor that could be clouding the issue is that if you have started a download prior to the device or blocking policy being inline, the client will have the ability to use that existing info to connect out to those peers. Particularly with encryption enabled on the client, this will make it very difficult to block. You should have success in blocking as long as we are in place with a blocking rule at the time the initial download occurs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!