06-08-2018 05:49 AM
The 2017 Palo alto networks best practices recommends blacklisting/blocking unknow-tcp and udp, my first thought is has something changed since this article ?
https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052
If it calls it unknown cause it doesn't have enough information to identify it, is it a good idea to block it? It might be something that shouldn't be blocked but the PA just doesn 't recognize it
06-08-2018 08:00 AM
This depends on your enviroment and how much disruption your org is okay with. Verify via your traffic logs how much unknown-tcp/udp traffic you are actually seeing and make your call on that.
06-08-2018 08:03 AM
I think it is a bad idea in a University setting, I think the coworker who suggested it saw unknow as not a real application but junk. I see it as a application that the PA just doesn't recognize. Blocking unknown-tcp and udp is too broad reaching for my situation. I am not sure what environment you would be able to do it in
06-08-2018 08:10 AM
Most enviroments would be able to enable this with little recourse to be honest, which is why it's a recommendation. What it doesn't really tell you in the recommendation is that you have to actually go through and identify the legitimate traffic and built out a signature for it prior to actually enabling it.
This is one of those settings that is recommended; but you have to put in a little bit of leg work to get to the point where you can really enable it. In a university setting it may be harder to enable across the network simply because you likely have students building things out that obviously wouldn't be known or using strange ports for common tasks. However on a 'staff' segment for example or on a 'server' segment you would absolutely be able to enable this, as long as you've done the leg work to get to a point where you aren't going to break production traffic.
06-08-2018 08:15 AM
Yes I agree, we might be able to do it on a more narrow basis but not as broad as the whole network especially without figuring out what is good and what is junk traffic
06-08-2018 08:23 AM
Sounds like a very big job at a university to try to figure out what all the real application traffic is and make custome APP ids for it and it seems like it could rapidly change.
06-08-2018 08:43 AM
If you wanted to do it across the entire organization, it certaintly would be. I think you would find it relatively easy to do within the Staff and Server segments/zones of your network however. You don't really expect to see much 'unknown' traffic going to the 'outside/untrust' zones for example.
It's also important to note here that just because something is a best-practice, that doesn't mean that it will work in every enviroment or that the org is willing to put the time in to actually make it all work. There are plenty of instances where an org would choose to ignore a best-practice simply because they can't do what is requested due to business practices, they view it as too costly to implement, or they simply don't want to put forth the man hours to accomplish something like this.
06-09-2018 12:56 AM
The doc says block it if you are not sure.
Normally unknown tcp and udp in a production environment could be non commercial application.
I would verify the sources generating that traffic and investigate if it is an internal application. Of course I would do this on zones where you know you have servers. I would not do this on an UNTRUST zone.
After identifying legitimate application I would generate custom app ids and then I would drop the other unknown traffic.
06-11-2018 01:35 PM
The greatest security benefit you will get if you drop unknown-tcp and unknown-udp towards the internet.
If you want verify what I mean then go to this website: https://http-evader.semantic-gap.de/
Even if you have set even low severity vulnerabilities to block, there are still dozens and more ways how a website is able to transfer data/malware to your computer using http evasions - and a lot of them you could catch with this deny of unknown tcp.
... and yes, blocking this towards the internet will also generate some false positives where specific websites/webservers do not behave as described in an RFC...
06-12-2018 12:37 AM
I think that in most of large network environments you will see a part of unknown-tcp / udp traffic. I always saw it by our customers, also I don't think it would be a great idea to block such traffic. If you do so, it's likely you will get some side effects and then several applications no more working as expected.
Ideally, you should try to identify this kind of traffic and building custom app signatures and use application override to properly identify this traffic.
Laurent
06-12-2018 02:28 AM
If you do not block unknown apps from the beginning and start block it without taking the time to prepare for this, then yes it could be a very bad idea. But in general my opinion is this is a very good idea as it gives you more control and better visibility (with the configuration of custom apps and/or app overrides as proposed by @Laurent_Dormond) over traffic in your network.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
