Has anybody encountered a situation where a rule was configured for one application but matched other applications?

cancel
Showing results for 
Search instead for 
Did you mean: 

Has anybody encountered a situation where a rule was configured for one application but matched other applications?

L1 Bithead

I have the following rule

rule.png

I used 'any' as the service because we have web servers running on multiple ports and not just on the default.

While it does match ssl and web-browsing traffic as expected,  it also matches unexpected application traffic like the following

traffic.png

I don't understand why it would match oracle traffic.  Any ideas?

15 REPLIES 15

L4 Transporter

Hi

It's because You put ANY as a service. Please put there app-default and oracle shouldnt hitted this rule.

Explanation is that oracle using probably SSL. Corect me if I'm wrong.

Regards

Slawek

The reason we have any is we have a few dozen virtual web servers running on different ports so I was hoping not to enumerate every single port.... I guess I'll have to start typing then :smileygrin:

L4 Transporter

Yes ... or create more security rules, ie. one per server with this server in Destination address field.

L4 Transporter

Excuse me but this is a totally bogus explanation... so what if he put service any? The whole point of App-ID is to be port agnostic, that's how the product was sold to us. The replies above make no sense to me.

Hi Ericgearhart

If I'm wrong - please put here Your explanations.

So in your opinion its improperly identyfied aplication or so?

Regards

Slawek

Cyber Elite
Cyber Elite

out of curiousity, would you mind checking if you have log "at start" enabled and if the logs you see hitting the wrong rule are start or end logs

Tom Piens
PANgurus

L3 Networker

I must correct Slawek, if you put ANY to service, it's mean this application WITH any Port and not ANY application on any port. So you did it right.

The Problem what Slawek think, is the dependence in the Applications, if you put for example the application icq to the rule it will be automaticly allow the application ssl & web-browsing. But only if you don't have a deny any Rule at the end.

Back to your Problem with Oracle, with version do you have installed? PAN-OS and Application&Threats?

slv - see FJU's response below. I totally agree with what FJU says below

I only have 'log at session end' enabled

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!