03-16-2018 09:33 AM
When apllying a rules in PA I get the warning message re shadow rule.
I have two rules where
rule 1 allows SSL between source and dest on standard SSL port
rule 2 allows SSL between the (same) source and dest on a non standard SSL port
I get a warning about rule 1 shadowing rule 2
How can I combine ther two rules so that I do not get that warning anymore
I always assumed that the two rules could not combined as one rule uses a custom ports.
03-16-2018 09:47 AM - edited 03-16-2018 09:48 AM
its like saying..
1, allow fred to go to tescos with green shoes
2, allow fred to go to tescos with any colour shoes..
1. is pointless, fred gets to tescos regardless of shoe colour,
i would imagine that despite different shoe colours, fred will collect the same ammount of clubcard points on equal purchase, but that may be of no relevance here...
03-16-2018 09:54 AM
Are you utilizing app-id in either of the rules? If the answer is yes, you would have to do the following to combine them.
1) Lookup the standard ports for the listed application, 'SSL' for example. Since it defaults to tcp-443, you would utilize service-https which is included as a service by default. Then for your non-standard port (I'll call it tcp-444) you would build a custom service object that work match for protocol TCP on destination port 444. Then you could allow 'SSL' with the service set as [ service-https tcp-444 ] and all traffic would match this one rule.
2) You could build out a custom app-id signature that would match the non-standard port. Then you would simply maintain one rule that has the application as [ ssl 'custom-app' ] and traffic would match this one rule.
3) You could not be using app-id at all, in which case you only actually need to build a service object for the non-standard SSL port and at it into the first rule.
03-16-2018 09:59 AM
I think what's happening is that a rule exists that allows application 'SSL' on service 'applicaiton-default', which would cover the standard traffic.
Then there is another rule that allows application 'SSL' on service 'custom-service'.
The one thing that I would caution here when setting an identified application to specified services, is to make sure that the app-id updates don't make any changes to how this traffic is actually identified. If your 'custom-app' or whatever is using a custom port gets categorized in a future update as 'splunk', then this rule will stop matching the traffic properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!