Problems with the firewall (web-browsing specifically)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems with the firewall (web-browsing specifically)

L1 Bithead

Hello,

I have just configured our new firewall, but I'm having a small issue with it. Basically, I have a security policy set with web-browsing application-id enabled (Facebook App-ID is also enabled). Now, every time I test it I'm unable to open Facebook.com on my test machine, nor any other website. However, when I modify the security rule to include a service port of 80, all the webpages open just fine. Do you know what might be going on?

Thank you in advance.

Best regards,

Marcin

1 accepted solution

Accepted Solutions

Hi Marcin

While building security rules you need to take into account that applications and services are mutually dependant, so for example defining any in the services will allow web-browsing on all possible ports including 65000 etc. setting the services to application-default would then limit web-browsing to ports 80 and 8080, if you set service manually to tcp-50, web-browsing would only be allowed on port 50

if you, as another example, then were to set applications to any and service to tcp80, you would be allowing web-browsing but also ftp, ssh, smtp, ... over port 80

so if you want to stick to the default ports it's good to simply set application-default in the services to limit each protocol to it's own ports. If you do need to add non-default ports keep in mind you need to add services for the default ports also

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi Marcin

Would you be able to add a screenshot of your policy, this may help visualize the issue you are encountering.

If you add a security policy with the same zones and action "drop" at the bottom, your traffic log may also shed some more light on what is being discarded and why.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Tom,

Thank you for your answer. I'm attaching the screenshot below (staff rules is the problematic entry).

Best regards,


Marcin

2014-06-20 12_54_21-paalnew.png

What's interesting, when I change the IP address of the machine, so that it belongs to a different address group, I'm able to browse the Internet just fine. This is despite the fact that a very similar application-ID are used for that second address group.

L3 Networker

Strange rule you have there.

Why are there so many services allowed?

If you have not included the default services of webbrowsing and / or facebook (tcp80, tcp8080, tcp443...), it can not work.

Best practise is to define applications to allow and choose "application default" in the service field.

Otherwise all the applications are allowed on all ports you define under the service field.

If you have applications that are not defined by PA you can create custom application and use a special rule for them.

So your rule for webbrowsing and facebook should look like:

from trust - to untrust - application webbrowsing, facebook - service application default - action allow (maybe define some groups or users to limit the rule).

Hi Marcin

While building security rules you need to take into account that applications and services are mutually dependant, so for example defining any in the services will allow web-browsing on all possible ports including 65000 etc. setting the services to application-default would then limit web-browsing to ports 80 and 8080, if you set service manually to tcp-50, web-browsing would only be allowed on port 50

if you, as another example, then were to set applications to any and service to tcp80, you would be allowing web-browsing but also ftp, ssh, smtp, ... over port 80

so if you want to stick to the default ports it's good to simply set application-default in the services to limit each protocol to it's own ports. If you do need to add non-default ports keep in mind you need to add services for the default ports also

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

In addition:

when needing and adding non-default ports to an application, i would use a separate rule for this.

If you e.g. allow webbrowsing and smtp in one single rule and choose application default on the services, each application will only be allowed on its own default ports. So webbrowsing would not be allowed on port 25.

But if you in addition need port 9090 for webbrowsing and take one rule with application webbrowsing and application smtp and choose manually the services (so you would take tcp80, tcp8080, tcp9090, tcp25, tcp587), that would also allow smtp on port 80 or webbrowsing on 587....

Thank you kbe, I have managed to sort the issue out, thanks to your and tpiens advice.

  • 1 accepted solution
  • 6290 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!