HL7 Traffic / Unknown-TCP traffic gets denied.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HL7 Traffic / Unknown-TCP traffic gets denied.

L3 Networker

We are standing up some new PA firewalls and have been testing with some HL7 servers.  Testing has been going well until recently where "unknown-tcp" traffic gets denied.  It seems that it only happens when the transfer of a specific file/message is being transferred.  

I spoke with our the HL7 Interface/Server guy and he shared this bit with me..


"HL7, most if not about all, messages begin with the “MSH” segment, Message Header.

These files, the HGS Meditech Lab Charge files, are in an HL7 batch.

The first segment is “FHS” – File Header, the BHS – Batch, then MSH and all the data.

So it is a “Batched” HL7 file, first time in 20+ years of doing this that I run across a charge file like this."

I got around the issue by creating a security policy allow "unknown-tcp" between the two specific servers but is that the only solution? 

Thoughts? 

 

11 REPLIES 11

Cyber Elite
Cyber Elite

Hello,

Is this the same HL7 you are reffering to?

 

Description
HL7, which is an abbreviation of Health Level Seven, is a standard for exchanging information between medical applications. The messaging standards (HL7 v2.x and v3.0) define how information is packaged and communicated from one party to another. Such standards set the language, structure and data types required for seamless integration from one system to another. HL7 version 2 defines a series of electronic messages to support administrative, logistical, financial as well as clinical processes.The HL7 version 3 standard has the aim to support any and all healthcare workflows.

Yes sir. 

Hello,

That is interesting since there is a HL7 application built into the PAN. 

 

Are you running the latest App updates? I would contact support and have them take a look since it could be the application decoders that might be at fault.

 

Regards,

Yes, we have usually set the updates to occur through dynamic updates every wednesday.  You bring up another interesting point in that some but not all of the traffic is identified as HL7.  

I do have a case opened, I thought I would post in the community to see if anyone else was experiencing the issue. 

I would love to be able to use the HL7 application for ALL traffic vs specifying ports. 

Hello,

If you go the PAN applipedia and tye in HL7, it will give you al lthe info you need on it. From the looks of it, its random as to what ports it actually uses so I wonder if in your policy you just leave the 'Service' as application-deafult. 

 

https://applipedia.paloaltonetworks.com/

 

We dont have HL7 on our network so I couldnt comment more on that applciation.

 

Just a thought.

Yes, they are required to use seperate ports for each customer, the ports will be defined between the HL7 server admins at each site.

 

Since we are in the testing phase I may go back and configure the security policy back to allow HL7, however none of the traffic is being defined as HL7, it states incomplete in the application column.  As I mentioned sometimes the firewall identifies the traffic as HL7 sometimes it says incomplete, in this case it said unknown-tcp.

Initially the security policy specific HL7 & application default, 99% of the traffic passed, even when the application was categorized as incomplete.  It's only the traffic that was "unknown-tcp" that was getting denied.

Then I tried HL7 and ANY - same problem.

Then I try ANY application, ANY port - same problem.

Then I created a policy to allow "unknown-tcp" I dont believe I should have to do that because a policy that allows ANY application over ANY service/port should be sufficient.  Correct?  Now traffic passes but I would like to get to the root of the issue thus the reason I opened a ticket and posting here to see if anyone else experienced the same or similar issue or perhaps there is a way to improve the PA firewall ability to properly detect HL7 traffic.  

Hello,

99% of the time when I see the appication as incomplete it means a routing issue. Now it could just mean that the PAN didnt have enough packets pass to idnetify the app.

 

Hard to tell without a pcap.

 

Regards,

Yes, fortunately the PAN automatically conducted a PCAP on the unknown-tcp packets, those have been exported and submitted to tech support as well. 

One interesting thing is that the byte size of the packets that were allowed were consistantly 374 bytes, the traffic that was denied and identified as "unknown-tcp" is above 374 bytes, sometimes 10.8K, most of the time 15.3K.  I dont know if that contributes to the problem or not.

As I mentioned below our HL7 Server Admin stated:

HL7, most if not about all, messages begin with the “MSH” segment, Message Header.

These files, the HGS Meditech Lab Charge files, are in an HL7 batch.

The first segment is “FHS” – File Header, the BHS – Batch, then MSH and all the data.

So it is a “Batched” HL7 file, first time in 20+ years of doing this that I run across a charge file like this

Hey @rkoenig

 

Very likely what will happen is that PAN will make some modifications to the HL7 App-ID that will solve your problem - especially since you mention this only occurs when a transfer of a specific message is done.

 

In the meantime, there are two options I can think of

 

1. Utilize Application Override so that you see this traffic as e.g HL7-Custom - then add this new App to your security policy rules

2. If you're able to confidently quantify and narrow down the problematic behaviour in packet captures, you could try creating your own Custom App-ID.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-custom-or-unknown-appl...

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/use-application-objects-in-po...

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/policies/policies-applic...

 

Cheers,

Luke.

Thanks guys, cant believe it's been two years since I last checked up on this post.  I will have to check up on the policy to see if we still have unkown-tcp traffic hitting the policy.

L1 Bithead

I know this is an old thread but just to tie the knot on this, there was a bug ID assigned for this issue (PAN-60414) and the fix for it was released on v7.1.13 and later versions/releases. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-release-notes/pan-os-7-1-addressed-issues/pan-os... Also, the content update (version 8164) has modified HL7 app-ID for recategorization.   

 

  • 9522 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!