For details on cookie usage on our site, read our Privacy Policy
Policy, using App ID ssl, is bypassed in favor of service based policy
- LIVEcommunity
- Discussions
- General Topics
- Policy, using App ID ssl, is bypassed in favor of service based policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-06-2021 01:51 AM
Hi All,
I'm new to Palo so hope you guys can help me understand something.
We have two almost identical security policies that allow traffic via ports tcp/443 and 80. The first policy uses App IDs, ssl and web-browsing. The second policy uses services tcp/443, 80. My expectation is that the second policy should never be hit since ports 443 and 80 are allowed by the first policy, but this is not the case. Both policies receive a lot of hits on port 443.
My question is, why is the first policy bypassed for tcp/443 traffic?
Thanks!
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-07-2021 04:29 PM
Thanks Nikolay.
It looks like we would have to leave the two rules active as they are. I've checked the applications that are detected by the service port rule and there are just too many. This rule is for general user web traffic so can't be too restrictive.
- URL Filtering is not working for Global Protect users in Next-Generation Firewall Discussions
- IKE phase 1 not working in General Topics
- Push Config Fail with error message "Configuration Transformation Failed" in Prisma Access Cloud Management Discussions
- failed to generate selective push in Panorama Discussions
- PAN-OS 10.1.9 -- CAUTION in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
