04-28-2017 12:56 PM
I am getting a deny statement for port 8531 for application ssl. 8531 is for ms-update and my policy allows that but the default policy is denying it because it is tying it to ssl for some strange reason. I don't know how to get around that.
04-28-2017 01:08 PM
What app-version are you running? I haven't seen this issue come across at all.
Temp workarounds:
1) Create an application override policy that specifies Microsoft's IP range and override port 8531 to ms-update instead of ssl.
2) Create a custom security policy for the traffic and you don't need to create an override policy.
Really do verify that this is actually ms-update traffic though and pass along your app-version so that we know what version you are on.
04-28-2017 01:18 PM
What PAN-OS are you on? Try to change the "services" tab to any
05-01-2017 11:48 PM
if you're seeing ssl blocked on that port, this means there's an ssl session being initiated on that port, possibly something trying to bypass a traditional port based firewall (ssl will be detected if the packets have the appropriate behavior for ssl, client hello etc. )
if you want to figure out what exactly is hitting your firewall, you can set up a packetcapture for that port and see what comes out. most likely something is sending a client hello
you may not want to 'get around that' until you can determine what exactly is going on, this may be C&C from an infected host
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
