Odd App ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Odd App ID

Not applicable

So, interesting thing.  We use a PA-500 for our enterprise guest networks.  We currently have a couple rules that go like this:

1.  Allow guest networks to use Skype / Skrype-Probe

2.  Block guest networks from using Risk 4 and 5 P2P  (this catches stuff like Bittorrent, etc.)

We just got an email that someone on our guest network is torrenting.  Low and behold the PA is still letting the app "bittorrent" through even though its blocked in that application filter.

Thoughts?

3 REPLIES 3

L6 Presenter

If im not mistaken the logs in PA should show you which rule allowed the traffic.

Verify so you dont in an earlier rule somehow allow bittorrent (since PA use a top-down first-match rule-engine similar to cisco acl) either directly (like allowing risk=5) or indirectly (allowing appid=any where you through you would just let some ipaddresses through without filtering or such).

That's the thing.  I saw that and it's being allowed by the rule that only has the skype apps allowed.

Maybe the PA is messing port classifications and thinks it's seeing bittorrent when it's seeing skype?  Or, some torrent traffic is using skype ports?

The thing is that PA doesnt care about ports unless you limit the rule by specify which ports you wish to allow through in "service" column.

So if you allow skype and nothing else then only skype should be allowed. However if a specific flow first acts like skype and then change into bittorrent then it should been blocked (if you only allow skype).

  • 2513 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!