Clarification of rule processing order?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Clarification of rule processing order?

I had two firewall rules in the following order:

 

  • Any Internal > Any External > Any Application > Service TCP 80/443
  • Any Internal > Any External > Application filter "web browsing" > Service "App Default"

 

With a "decrypt" profile on web based email which is allowed by the URL filtering profile on the first rule, but blocked by the second rule.

 

If I open my browser on my PC and go to Gmail with both rules in place, I look at my Gmail in the browser, and it is not using the PAN certs, and in the PAN logs I see the traffic is not decrypted, and the app shows as QUIC and is allowed using the second rule.

 

If I change the second rule to:

 

  • Any Internal > Any External > Application filter "web browsing" > Service TCP 80/443

And repeat the Gmail test, now Gmail shows the PAN certificate and in the PAN logs the traffic is decrypted and is allowed using the first rule.

 

In the initial scenario, why didn't the first rule apply?

 

I'm using 7.0.6

 

Thanks

 

 

Highlighted
L6 Presenter

Hi...I am assuming that you are testing with Chrome browser since QUIC was detected.

 

Case 1 - the browser negotiated with Gmail using QUIC which is UDP so it is not matching tcp 80 or 443 for rule1.  QUIC will match rule2.

 

Case 2 - Both rule1 and rule2 only match tcp 80 or 443.  QUIC does not match and it is blocked.  The browser then negotiated with Gmail over standard SSL/TLS and the decryption policy is triggered on SSL.   At this point, the decrypted traffic is running on port tcp 443 so it matches rule 1.

 

Hope that helps.  Thanks.

Highlighted
L5 Sessionator

Rules are always matched from top to bottom.

 

In case 1 QUIC shouldn't match any of those 2 rules as web-browsing is only on tcp 80 if application default is selected according to Aplipedia. And even if web-browsing was allowed on all ports the traffic recognised as QUIC still shouldn't go through (as you're only allowing web-browsing app).

On the other hand QUIC uses only UDP 80 and 443 so it shouldn't go through first rule either. 

 

Case 2 makes more sense, QUIC probably didn't go through so Gmail used SSL on TCP 443 which was allowed on first rule whcih has decrypt rule.

 

 

 

 

 

 

 

 

Highlighted
L5 Sessionator

Why would QUIC match rule 2? Is it sub-application of web-browsing? Are UDP ports added to default ports for web-browsing?

Highlighted
L4 Transporter

I'm being daft, rule 2 was "browser based" so it would include QUIC but the URL filter on that rule wouldn't apply as it's UDP traffic is my assumption?

Highlighted
L5 Sessionator

Yeah, maybe. Maybe URL filtering can only find GET, POST, CONNECT... on TCP traffic.

 

I really don't know how this QUIC protocol works. But you made me want to capture this quic traffic and analyze it :) Tomorrow tho...

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!