Security Policy is passing the service which is not configured in policy.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policy is passing the service which is not configured in policy.

L0 Member

We have created a VPN to Trust rule for just FTP and SSH Service for server in which we have Allowed only those services with application any. But the some of the traffic is passing with the some random service port with the same rule with application ftp which is not mention in security policy. Any Idea why is this happening.Screenshot (501)_LI.jpgScreenshot (502)_LI.jpg

3 REPLIES 3

L7 Applicator

Hi @MPESDC 

This is a special case for the application ftp. In an initial ftp connection the actual data transfer port is sent in the payload of the controlconnection. The firewall reads this and opens the additional port dynamically. This is at least the explanation for this behaviour so far.

I see it here probably as you do. If you have specified exactly one port, the firewall should not allow dynamically another one - even if this breaks the ftp connection. In this situation I recommend to open a TAC case for either finaly clarification or informing them about this behaviour.

L6 Presenter

You may check this article and your app configuration and you can you use app overide to not only to allow passive FTP but lso to block it:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK

Cyber Elite
Cyber Elite

Hello,

As a best practice, I would recommend you use the Application rather than the port.

Regards,

  • 1807 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!