10-23-2019 12:17 PM - edited 10-23-2019 12:17 PM
Hello everyone,
Been testing some PA firewall functionality and noticed that ms-rdp has the implicit use of "cotp" defined, but the cotp application matches to a rule further down the policy list. When I review the logs, it looks like this
Am I misunderstanding having cotp as implicitly allowed by the ms-rdp application? Not sure why ms-rdp is allowed as part of the Test-RDP rule but then cotp drops down to a policy further in the list.
I could add the cotp application to the Test-RDP rule, but shouldn't Test-RDP be where cotp is getting caught already?
Thanks!
10-24-2019 01:12 AM
Hi @MathewRD .
when the tcp handshake is initiated for any application the firewall will view all policies for an explicit allow. If none are available then it will check again for any implicit allows.
i found these links helpful.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLLICA4
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK
10-24-2019 01:12 AM
Hi @MathewRD .
when the tcp handshake is initiated for any application the firewall will view all policies for an explicit allow. If none are available then it will check again for any implicit allows.
i found these links helpful.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLLICA4
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
