Has anybody encountered a situation where a rule was configured for one application but matched other applications?

cancel
Showing results for 
Search instead for 
Did you mean: 

Has anybody encountered a situation where a rule was configured for one application but matched other applications?

L1 Bithead

I have the following rule

rule.png

I used 'any' as the service because we have web servers running on multiple ports and not just on the default.

While it does match ssl and web-browsing traffic as expected,  it also matches unexpected application traffic like the following

traffic.png

I don't understand why it would match oracle traffic.  Any ideas?

15 REPLIES 15

PAN OS version 6.0.3 , Apps version 449-2321

Incorrect sir...setting service to "ANY" will only allow for the traffic to traverse any port that still matches the specified application. Based off your logic, there would be no need to specify the application.

L1 Bithead

I just put in another rule to match the oracle traffic on port 1522. The traffic doesn't get matched by my ssl/web-browsing rule anymore.

It still doesn't explain how a rule configured with an ssl or web-browser application could match oracle traffic.

L4 Transporter

The behavior is quite odd. Usually, if there is application shift i.e application is first identified as web-browsing and later after the firewall has seen more packets, the same traffic gets identified as oracle, it should trigger a second policy look-up. Clearly this is not happening. If the issue is still persisting, i would suggest opening up a ticket with support.

Hi FJU

You read from my mind Smiley Wink

I thought that Palo_al has more security rules (below is more narrow rules especially for oracle application) but was curious why this traffic hitting this rule.

So Your explanation is correct.

I'm fighting with support with ammy-admin and backup-exec application aren't correctly identified by PAN OS. So maybe it's happened to You too.

Regards

Slawek

L1 Bithead

Yup that doesn't make any sense. I suggest you open a case if you haven't. As a test, you can put a deny all rule at the bottom  and see if oracle is still being allowed but make sure you've allowed EVERYTHING that you need because you'll see a lot of blocked traffic which will cause issues with your users. Probably do that after hours. Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!