Policy, using App ID ssl, is bypassed in favor of service based policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Policy, using App ID ssl, is bypassed in favor of service based policy

L1 Bithead

Hi All,

 

I'm new to Palo so hope you guys can help me understand something.

 

We have two almost identical security policies that allow traffic via ports tcp/443 and 80. The first policy uses App IDs, ssl and web-browsing. The second policy uses services tcp/443, 80. My expectation is that the second policy should never be hit since ports 443 and 80 are allowed by the first policy, but this is not the case. Both policies receive a lot of hits on port 443.

 

My question is, why is the first policy bypassed for tcp/443 traffic?

 

Thanks!

1 accepted solution

Accepted Solutions

L6 Presenter

This sounds like an Application Shift. The Palo Alto device needs some packets to pass to match the application and service based policy doesn't. Please read carefully the article below:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A10

 

 

 

Also use policy trace to see which rule you match if as Sutare said you have some bad config:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/test-policy-rule-traffic-matches.h...

View solution in original post

5 REPLIES 5

L6 Presenter

Hi @Inelse ,

 

If traffic is matching second policy then there is something configured in first policy which is very specific (zones, addresses etc) and not matching the traffic which you're looking for.

 

Is it possible to share the snap of both policies as well as the traffic log which shows it is matching the second policy to get more understanding?

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L6 Presenter

This sounds like an Application Shift. The Palo Alto device needs some packets to pass to match the application and service based policy doesn't. Please read carefully the article below:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A10

 

 

 

Also use policy trace to see which rule you match if as Sutare said you have some bad config:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/test-policy-rule-traffic-matches.h...

Thanks Nikolay and Sutare for your responses.

 

Both rules are identical with the exception that one is using App-ID, the other Services.

 

Nikolay, your theory makes sense and looks like this is what's actually happening.

 

So if we disable the service based rule, does this mean that most of the tcp/443 traffic will be blocked? Is there a way to allow any web traffic using App ID without having to specify all possible apps (eg. google, youtube, etc)?

 

Thanks!

 

 

Can you just in case place the App-ID rule on top of the service port rule and make certain that the App-ID rule matches the default web-browsing application and all child applications as in many the cases the application will be evaluated as web-browsing and then there could be an application shift and again the policy will be evaluated and there should be a rule before the service port rule that also allows more specific application after the application shift.

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/application-default.html

 

 

 

You may use the policy optimizer to see what Applications the the port based rules matches and make app id rules that are placed before the port based rule (read a lot for the policy optimizer and it may do your job for you and be super easy 😞

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/security-policy-rule-optimization/m...

 

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.ht...

Thanks Nikolay.

 

It looks like we would have to leave the two rules active as they are. I've checked the applications that are detected by the service port rule and there are just too many. This rule is for general user web traffic so can't be too restrictive.

  • 1 accepted solution
  • 3725 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!