This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Rule Scenario 80/443 vs using ssl/web-browsing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule Scenario 80/443 vs using ssl/web-browsing

clyde.franklin
L4 Transporter

‎08-30-2017 11:14 AM

HI in what Rule Scenario  woulld 80/443 vs using ssl/web-browsing be used. And why wouldnt app for ssl and web-browsing not work but prot 80/443 work

1 person had this problem.
0 Likes Likes
2 REPLIES 2

fjwcash
L4 Transporter

‎08-30-2017 01:58 PM

"web-browsing" and "ssl" only match generic HTTP/HTTPS traffic.  If the firewall determines a more precise App-ID for the traffic, then it will switch to using that for determining whether to allow/deny the traffic, which may fail in mysterious ways.  🙂

 

For example, if you have a general "allow web traffic" Security Policy and use "web-browsing" in the rule, then very basic web traffic will be allowed.  But, if someone accesses GMail, or Facebook, or Youtube, or click on a video link in a generic web page, than the firewall will notice and match that traffic to the google-base, or google-mail, or facebook-base, or youtube, or streaming-video App-ID, none of which are listed in the rule, and block the traffic.  Which leads you down a rabit hole of "access website, check logs for what app is shown, update rule, keep browsing, rinse and repeat".  🙂

 

We ran into this issue trying to get regular ol'Moodle courses working correctly using application matching.  Once the list got beyond 6 or 7 difference applications, we switched to just allowing straight port 80/443 traffic through.

 

There are situations where the application matching really helps (video conferencing, for example), and situations where it really doesn't (a general "allow web traffic" rule).  It depends on how specific you need the rule to be.

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to fjwcash

‎09-01-2017 06:15 AM

Instead of opening port 80/443 create application filter to dynamically group applications together and add filter into the  rule.

Objects > Application Filters

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/create-an-application-filter

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes
  • 6076 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks