Firewall rules - strange suggesttion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall rules - strange suggesttion

L4 Transporter

Hi

 

I gave a rule that allows snmp-trap messages to my SNMPD server.  for some reason PA complains that SNMP-TRAP needs SNMP-BASE.

 

Now if I add in SNMP-BASE this is going to open up port 161 where as trap uses 162.

 

So why do i need SNMP-BASE

6 REPLIES 6

L7 Applicator

@Alex_Samad wrote:

So why do i need SNMP-BASE


... because of rare cases where paloalto isn't able to identify the snmp-trap right away. (Even if I don't really know in what situation this could be possible as snmp-traps mostly are one-packet connections. There aren't a lot of possibilities other than identify the application in just this one packet)

Anyway, if it works just with snmp-trap, then one possibility is to ignore the commit-warning or what I also did in this case, allow also snmp-base and manually add service 162/udp instead of application default.

There is also a feature request out there for a feature to suppress these commit warnings ...

thanks, think I will live with the warning seems counter intuitive to add snmp and then limit to 161.

 

Do you have the feature request number ?

think I will live with the warning seems counter intuitive to add snmp 
and then limit to 161.

Yes, it does take some getting used to.  Remember that with PAN the point of basic policy is to FORGET about port and protocol just select the application you want.  And PAN will detect that application EVEN IF it runs on different ports.

 

Thus if you know the app you are writting the rule for will always be on the standard port then you use this option to prevent that default behavior.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Seems counter intuitive to allow something I didn't want to allow just to stop a warning.

 

Currently the traps are getting through so .

Hello,

While you are opening another application, remmeber that it is just that, the application and not a port. Meaning that the firewall needs to identify the application and it wont just open that port for all traffic.

 

Hope that makes sense.

 

Regards,

@Alex_Samad,

The warning is more to do with how other applications function more so than this particular app-id. The only reason the warning is generated is because the app-id has 'snmp-base' as a dependent (ie: if you look at snmp-trap it states 'Depends on: snmp-base'. 

While it can be argued that snmp-trap really doesn't require that snmp-base actually be allowed, and therefore snmp-trap really shouldn't have a dependency to snmp-base, it's more so that applications such as 'dropbox-downloading' depends on 'dropbox-base' and 'ssl' aren't effected and causes admins to leave out required applications. 

This is one of the weird things where PA could likely add an option to 'Ignore Commit Warnings' or something similar to the app-id, or further properly identify that snmp-trap doesn't actually require snmp-base, but this simply hasn't been created yet. 

 

I would do what @Remo mentioned and simply add the app-id and specify that the service can only be 162/udp. This clears up the commit warning and won't actually allow snmp-base traffic unless it happens to be identified on 162. Or just ignore it, you just run the risk of missing an important warning when that list starts to grow over time. 

  • 4530 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!