01-10-2021 01:12 AM - edited 01-10-2021 01:14 AM
For an example, I have 2 security policies
ruleA) source ip: any, source zone: any, destination ip: any, destination zone: any, application: dns, service: any, action allow
ruleB) source ip: any, source zone: any, destination ip: any, destination zone: any, application: any, service: any, action allow
and traffic initiate from client is DNS request port53, my question is when Paloalto still not know the application yet (or application is incomplete), which policy will apply for the traffic?
Pls share me a reference guide also, Thank you in advance
01-10-2021 01:58 PM
You would expect traffic to hit Rule A in your example. The reason for this is that the firewall needs to allow enough traffic to actually identify the application, so when you specify an app-id of 'dns' and use service of 'any', you are effectively telling the firewall to allow traffic across any port until it's able to identify the application. As soon as the application is identified, then the traffic would be re-analyzed to see what rulebase entry matches the newly identified traffic, if any.
01-11-2021 04:11 AM
This is why 'application-default' is very important in the service of a security rule
when the firewall accepts the very first packet of a session, it will only be able to identify the '6-tuple'
source subnet, source zone, destination subnet, destination zone, destination port and protocol
it will then go look for a security rule that matches those criteria; so in your case ruleA will be hit by everything,even a SYN packet for port 80
once App-ID is able to identify the session is in fact http (by packet 4 due to the HTTP GET), it will re-evaluate the security rules and match ruleB
if the syn is never responded to (incomplete), the session will die on ruleA as there will not be a reason to re-evaluate security rules until a new application is identified
if you set application-default, ruleA will be limited to port53 TCP/UDP, so connections on port80 will automatically drop to ruleB
one step further: if, for example, ruleA is dns and ruleB is ssl, both with service application-default: a SYN packet for port 80 will automatically be discarded on the implied interzone drop rule, since only ports that match one of the defined applications will be allowed through so a session can be created.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
