01-27-2011 05:47 AM
I am currently only allowing ssl and web-browsing applications to a specific server. If I do a "telnet x.x.x.x 3389" it connects even though the rule should not allow this. I would think that the application filter is unable to block this due to the application coming up as insufficient-data or incomplete.
How do I block this??
01-27-2011 06:29 AM
Hi Hallk,
are you using "any" in the Service field for web-browsing and ssl applications?
If so, it can be beneficial to specify specific or default ports for the applications being allowed. If the service is defined as “any” , all sessions must be allowed to start so the system can see if the correct application is running on them. If the service is anything but “any” , then many unwanted connections can be dropped immediately.If the traffic and resulting application does not match any rule, the session will be dropped.
01-27-2011 06:00 AM
Hi There,
Probably once the telnet is sucessful no further commands can be initiated as the application telnet will be picked up - it is not always immediate, since you need a little info to identify the application. It would be worth checking this doc out:
https://live.paloaltonetworks.com/docs/DOC-1628
Thanks
James
01-27-2011 06:18 AM
Hi James
Thanks for the reply, however we were able to run a couple of commands and get some info. The logs showed the app as either incomplete or insufficient-data during the running of these commands.
01-27-2011 06:29 AM
Hi Hallk,
are you using "any" in the Service field for web-browsing and ssl applications?
If so, it can be beneficial to specify specific or default ports for the applications being allowed. If the service is defined as “any” , all sessions must be allowed to start so the system can see if the correct application is running on them. If the service is anything but “any” , then many unwanted connections can be dropped immediately.If the traffic and resulting application does not match any rule, the session will be dropped.
01-27-2011 06:33 AM
Then I would probably need to see your complete rulebase to find the answer - can you see which rule the traffic is hitting? Is it the one you expected?
Thanks
James
01-27-2011 06:59 AM
Also a concern is that you are able to run port scan and the report will tell you what ports the box is listening on.
01-27-2011 07:22 AM
This depends on your configuration. Maybe you need to be in contact with your local SE to spend some time with you on these tests?
Thanks
James
01-28-2011 12:39 AM
It is hitting a rule allowing web-browsing and ssl aplications.
TCP 3389 is definitely not allowed on any rules.
01-28-2011 12:48 AM
Hi
So you are saying that I can specify applications as well as port numbers in a single rule?? I had an issue, admittedly on a differnet os version, that it would not see the service ports or the applications when using them in the same rule - Cant remember which one. I ended up creating 2 differnet rules.
01-28-2011 02:41 AM
Hi There,
I am not sure where you saw the problem - but you can indeed use the application and service column for "extra" security in the same rule. This will mean the application must ONLY run over the ports you have defined in the service column, which maybe custom or the application-default setting.
Thanks
James
01-28-2011 05:00 AM
Thanks guys. Will do this and get the audit team to test again.
01-28-2011 06:13 AM
Thanks for the help. Tested and works perfectly.
01-29-2011 08:04 AM
Good news 
You may want to look into zone protection, if your trying to protect against reconaissance too.
Thanks
James
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
