Rule Scenario 80/443 vs using ssl/web-browsing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule Scenario 80/443 vs using ssl/web-browsing

L4 Transporter

HI in what Rule Scenario  woulld 80/443 vs using ssl/web-browsing be used. And why wouldnt app for ssl and web-browsing not work but prot 80/443 work

2 REPLIES 2

L4 Transporter

"web-browsing" and "ssl" only match generic HTTP/HTTPS traffic.  If the firewall determines a more precise App-ID for the traffic, then it will switch to using that for determining whether to allow/deny the traffic, which may fail in mysterious ways.  🙂

 

For example, if you have a general "allow web traffic" Security Policy and use "web-browsing" in the rule, then very basic web traffic will be allowed.  But, if someone accesses GMail, or Facebook, or Youtube, or click on a video link in a generic web page, than the firewall will notice and match that traffic to the google-base, or google-mail, or facebook-base, or youtube, or streaming-video App-ID, none of which are listed in the rule, and block the traffic.  Which leads you down a rabit hole of "access website, check logs for what app is shown, update rule, keep browsing, rinse and repeat".  🙂

 

We ran into this issue trying to get regular ol'Moodle courses working correctly using application matching.  Once the list got beyond 6 or 7 difference applications, we switched to just allowing straight port 80/443 traffic through.

 

There are situations where the application matching really helps (video conferencing, for example), and situations where it really doesn't (a general "allow web traffic" rule).  It depends on how specific you need the rule to be.

Instead of opening port 80/443 create application filter to dynamically group applications together and add filter into the  rule.

Objects > Application Filters

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/create-an-application-filter

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 6072 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!