Policies >> Security

Reply
Highlighted
L1 Bithead

Policies >> Security

Unsure quite how to phrase my question. Under Policies >> Security:

 

I have a Rule way at the top for McAfee ePO; tcp; port 8443.

Settings that I have set are:

 Source Zone: Trust     Source: IP address for a specific internal host 

 Destination Zone: Untrust   Destination Addresses: 2 different unique external hosts

 Application: any

 Service:service-tcp-8443 (created a specific service name for this)

 Action: Allow

 Profile:  Using an existing Vulnerability Protection profile

 

After a Save-and-Commit, "Monitor" shows details that my Rule is applied and traffic is allowed.

 

However, the Implicit Deny rule way at the bottom denies the traffic since "web browsing" is required.

 

Question: If I allow "web browsing" in the Implicit Deny rule at the bottom, does this not affect other rules above; rules that I do not want to allow web browsing?

 

Thank you


Accepted Solutions
Highlighted
L1 Bithead

Re: Policies >> Security

Hi,

Thank you for your response.

Yes, I did a "Monitor >> Traffic".

 

The port 8443 is the only port that is allowed.

However, I beg to differ with you.  My Rule 2 (way at the top), does allow traffic to pass.

But Rule 45 (IMPLICIT_DENY), blocks the traffic on port 8443.

The only difference that I can see is that for "Action >> allow", the category is "Any"; while for "Action >> deny", the category is "Government".

 

I will try to sanitize a screen capture; cannot post current details since this is a government environment.

 

Detailed Log View

 Application:  ssl

 Rule:  (My Rule 2 that allows traffic to pass, or IMPLICIT_DENY that blocks traffic)

 Session End Reason: (aged out for Action>>allow,  policy-deny for Action>>deny)

 Category: (any for Action>>allow; government for Action>>deny)

 Virtual System: vsys1

 IP Protocol: tcp

 

 

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Policies >> Security

There's a paradox you've mentioned that needs to be clarified. 

 

You say that the rule matches and traffic is allowed. But then you say that the implicit deny rule is blocking the traffic. Both can't be true for the same traffic, so maybe there is more than just port 8443 that is happening?

 

To answer your explicit question: you cannot modify the Implicit-Deny rule at all, so that's a moot point in this regard.

 

Since your rule is already specific to 8443 and 2 external servers, and your application is set to "any", web-browsing is implied in the "any". 

 

Take a look at your traffic log (Monitor > Traffic) and see what port(s) the denied traffic is using. You may need to broaden your rule to include the ports.

 

Using a port is generally not needed. The firewall can pick up the application on any port, so usually that just ends up making it more restrictive when you don't want it to be. Try removing the port restriction and instead specifying the application "mcafee-epo-admin" and "web-browsing" to that rule. You're forcing it to only apply to 2 destination servers, so it will only allow web-browsing to those servers anyway.

 

Cheers,

Greg

Highlighted
L3 Networker

Re: Policies >> Security

> Security rules are executed from top to bottom

> Not all security rules are executed only the First Match will be executed

> If you add web-browsing in implicit deny, the traffic which will not trigger any of the above security rule with hit the implicit deny and the traffic will be dropped

Highlighted
L1 Bithead

Re: Policies >> Security

Hi,

Thank you for your response.

Yes, I did a "Monitor >> Traffic".

 

The port 8443 is the only port that is allowed.

However, I beg to differ with you.  My Rule 2 (way at the top), does allow traffic to pass.

But Rule 45 (IMPLICIT_DENY), blocks the traffic on port 8443.

The only difference that I can see is that for "Action >> allow", the category is "Any"; while for "Action >> deny", the category is "Government".

 

I will try to sanitize a screen capture; cannot post current details since this is a government environment.

 

Detailed Log View

 Application:  ssl

 Rule:  (My Rule 2 that allows traffic to pass, or IMPLICIT_DENY that blocks traffic)

 Session End Reason: (aged out for Action>>allow,  policy-deny for Action>>deny)

 Category: (any for Action>>allow; government for Action>>deny)

 Virtual System: vsys1

 IP Protocol: tcp

 

 

View solution in original post

Highlighted
L1 Bithead

Re: Policies >> Security

Thank you gwesson and vkalal.  I believe I have solved this issue.

Within "Policies>>Security", under "Service/URL Category":

  for Service, I have a custom McAfee_ePO_service_tcp_8443.

  to the right of this, under URL Category, I have added both "business-and-economy" and "government".

I no longer have traffic blocked and am no longer hitting the IMPLICIT_DENY rule.

Unsure why government had to be added; under the Category that Palo Alto has for McAfee, it had business-and-economy >> management since mcafee-epo-admin is under this.

However, my client need is very specific, only requires port 8443.

Highlighted
Cyber Elite

Re: Policies >> Security

@john.imperial

 

I'm just curious, you said originally the rule allowed an "ANY" URL category and the traffic was failing?  To get it to work you had to add both "business-economy" and "government?"

Highlighted
L1 Bithead

Re: Policies >> Security

Hi Brandon,

Yes, in Security Policy Rule > Service/URL Category, I originally only had "business-and-economy".

However, my rule way at the bottom kept stating that "government" was necessary.

Once I included "government" in Security  Policy RUle > Service/URL Category in my specific rule at the top, everything functioned correctly.

I did try eliminating "business-and-economy" and "government" and replacing with "ANY" for the URL category, but it failed.

Highlighted
Cyber Elite

Re: Policies >> Security

Hrmm, I'd with "ANY" there that it would have worked.  Did you have a URL profile applied?

 

I've never thought about or experienced it before, but I would have guessed is that it would have been allowed.  But maybe if there wasn't a URL profile applied it needed specific URL categorization to be defined vice just an "ANY" in the security rule when a URL profile isn't defined.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!