Prove the firewall innocent?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prove the firewall innocent?

L3 Networker

Hello,

We have communication from load balancer to 2 servers called S1 and S2.

Both S1 and S2 have same Windows Server version and have exact same patch level.

Both serve a web-service hosted on their IIS.

On Palo firewall, we have App-ID based rule allowing web-browsing as application.

Till 2 days ago, both of them were working perfectly. Yesterday, connections to S1 started being dropped since the App-ID got identified as something else on the firewall. Since then it has been like that. S2 is still working with App being identified as web-browsing on the firewall.

There were no App-ID updates on the firewall. The server team claims nothing changed on both S1 and S2.

We were engaged in long call with PA tech support and they did packet capture and still were not able to find anything. Palo asked us to check on server side since they think something must have changed on the server.

So it has now turned into a blame game between the server team and the firewall team.

Any idea how we can prove firewalls to be innocent?

OR

It is really the firewalls at fault and so has anyone experienced such an issue?

1 REPLY 1

Cyber Elite
Cyber Elite

@rjdahav163,

Fundamentally if the firewall is seeing a different App-ID than allowed and you're dropping the traffic to S1, that's a firewall issue. Once you verify the traffic I'd expect to at least temporarily allow the new identified application through to S1 regardless of why the firewall is identifying it improperly. 

 

There's really only two reasons that the firewall would start suddenly identifying traffic differently, and that's signature updates that could potentially cause a false-positive detection on your existing traffic flows or the traffic itself changing. Since you don't mention what the traffic is being identified as, it's hard to help sort that issue out. It could have easily been a signature update that just happens to be identifying this traffic improperly, or it could be that the traffic changed. 

What app-id is the firewall identifying the traffic as currently? 

 

  • 321 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!