Default Application ID change in 8.0?

Reply
Highlighted
L3 Networker

Default Application ID change in 8.0?

We are migrating from some 200's running 7.1.x code to 220's running 8.0.x code. We had a rule that was working fine, allowing any traffic from a server to another server. We didn't define any apps or tcp ports. We have that rule in the new firewall, but it is now being blocked as "unknown-tcp".

 

We added a rule allowing any traffic between the servers over the port they use. It still is blocking it as unknown-tcp.

 

Why did this work in 7.1 but not in 8.0? I've gone through the release notes and there is nothing about application ID changes that would effect this. Is an application override the only way to get this to work?

Highlighted
L7 Applicator

Re: Default Application ID change in 8.0?

Do you have "application-default" as Service?

Change it to "any" and test.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L3 Networker

Re: Default Application ID change in 8.0?

Application and Service are both set to any. And it is the first rule, as this is a very important connection.

 

 

Highlighted
L7 Applicator

Re: Default Application ID change in 8.0?

Can you show screenshot of the rule and screenshot of Monitor > Logs > Traffic where this traffic is blocked?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L3 Networker

Re: Default Application ID change in 8.0?

The rule that is the deny rule is the last rule, catch all.

 

Deny.PNG

Highlighted
L7 Applicator

Re: Default Application ID change in 8.0?

Can you also share top rule that should permit this traffic.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L3 Networker

Re: Default Application ID change in 8.0?

It's a pretty simple rule, and worked on 7.1:

 

Rule.PNG

Highlighted
L7 Applicator

Re: Default Application ID change in 8.0?

So it stopped working after upgrade?

Can you create new rule and instead of using address groups just add single ip to source and destination. 

Those that you hid in your first screenshot.

To be sure that this source and destination are included in those groups.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
Cyber Elite

Re: Default Application ID change in 8.0?

@DPoppleton 

There is a setting where you can disallow any unknown-tcp or unknown-udp traffic; let me see if I can find it. 

 

edit: I can't seem to find it with a quick glance but I'm fairly certain that was/is a thing. In the meantime you could utilize an application-override policy to classify the traffic as another application, or a custom application, and it should match your existing rule. 

Highlighted
L3 Networker

Re: Default Application ID change in 8.0?

We tried that already. A rule with just the server as the source, and the object it was trying to go to as the destination, any application with a service of tcp/50000. Still fell through to the deny rule at the end as unknown-tcp.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!