This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

OS 7.1 blocking telnet over SSL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

OS 7.1 blocking telnet over SSL

mikealanni
L2 Linker

‎09-16-2016 10:31 AM

We have in-house software that uses secure-telnet port 992 and that has been blocked after the 7.1.4-h2 upgrade. I've created a rule to pass the traffic to the destenation address with any application any service but never help, the logs said reset both by internzone rule, only changing interzone rule to allow will let the application communicate.  Even I did appliaction override on the SSL with destinationa port and address not helped me at all.

 

Please any clue how to fix this?

 

Mike

1 person had this problem.
0 Likes Likes
6 REPLIES 6

TranceforLife
L6 Presenter

‎09-16-2016 10:39 AM

Hi,

 

What version of PAN-OS you had before? 

Can you post screenshot of the policy and deny logs please.

 

 

0 Likes Likes

mikealanni
L2 Linker
In response to TranceforLife

‎09-16-2016 10:46 AM

7.0.5h2

Untitled.png

0 Likes Likes

TranceforLife
L6 Presenter
In response to mikealanni

‎09-16-2016 10:53 AM - edited ‎09-16-2016 11:29 AM

Hi,

 

Thanks. So your traffic is denied by default policy cause it does not match any other policy. Can you show me a policy config pls for this particular session? What was your policy before an upgrade? Did you try to create a rule with SSL app and destination port 992. I understand you have tried any any but l had strange behaviour, similar to yours. So when l created rule to be more specific it worked for me.

0 Likes Likes

mikealanni
L2 Linker
In response to TranceforLife

‎09-16-2016 12:09 PM

I tried specific rule to destenation IP and a service with the port on both UDP and TCP, then tried application SSL then tried unknow-tcp and unknown-udp all togehter nothing works. my default inside to outside rule is any application with default application with profiles.

0 Likes Likes

TranceforLife
L6 Presenter
In response to mikealanni

‎09-16-2016 12:33 PM - edited ‎09-16-2016 12:34 PM

Ok. So from what l understood you have a policy inside >outside with application "any" and the service "application-default".

 

So PAN-OS 7.1 changes the behaviour for the policy with application-default specified. See below:

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-applicati...

 

Your policy will allow any APPs but only on the default ports. From the logs, we can see that you have SSL as an application but 992 as a port. Default inter-zone has any any that is why it is permitting your traffic.

 

Thx,

Myky

0 Likes Likes

mikealanni
L2 Linker
In response to TranceforLife

‎09-16-2016 01:39 PM

I think when I configure the destination by IP only the rules not match as now I put /32 on the destination IP that made the rule match

0 Likes Likes
  • 5030 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks