NTP and proxy bypass

Reply
Highlighted
L2 Linker

NTP and proxy bypass

Hi i have a problem at the moment where it appears there is a proxy/Vpn application that is using port 123 .

as i have lots of byod devices that require access to NTP i leave the port open.

 

When I look at the monitor logs it source port can be anything from 123 to any other port and the dest port is 123 and P.A is letting me know the application is NTP , hence allowed

 

I have ssl decryption turned on .

 

i am slightly stuck on how i ca allow legitimate NTP traffic as opposed to vpn/proxy using port 123  ?

Highlighted
Cyber Elite

Hello,

At this point it would be the application inspection. In your logs, filter by port 123 and see which applications are using that port. Then rewrite the rule to allow only NTP 'application' and remove the port 'Service'.

So the policy would look similar to:

 image.png

If there is an app using ssl over port 123, you might need an additional policy to allow ssl over port 123.

 

I hope I understood your question correctly. Please let me know if I havent and i'll do my best to answer it correctly.

 

Regards,

Highlighted
L7 Applicator

Hi @PaulBrock

 

Are you seeing the vpn/proxybypass be identified as NTP in the traffic logs, or are you seeing the vpn/pbp hit your NTP policy and be allowed by it?

 

 

in case of the latter, @OtakarKlier's solution will solve your issue. In case of the former you'll want to collect as much information as possible (pcaps, paket-diag log feature flow basic + appid basic) and open a support case

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!