11-09-2016 12:25 AM - edited 11-15-2016 11:48 PM
Hi guys,
I have a really strange problem.
We are using the Matlab Network Version on a Windows PC.
When Matlab is starting, it connects via tcp port 27000 to the license server.
I created a custom app called "matlab" with tcp port 27000-27001.
Then I created an allow rule from the clients to license server with the matlab app.
Everything works fine. in the monitor, the firewall recognizes the traffic as "matlab" app.
And now my problem:
If I connect the same PC to another Vlan, Matlab doesn't start.
The firewall denies the traffic because it doesn't recognize the matlab app.
In the monitor, the fw recognizes port 27000 and the app "flexnet-publisher".
What's the deal?
Why does the fw recognize the traffic in the one vlan/zone as matlab app and in the other vlan/zone as flexnet-publisher?
11-09-2016 02:44 AM
You worked with application override rules? How did you write your app override rule? With specified source IPs or zones? In that case check if all networks are included.
11-09-2016 02:44 AM
You worked with application override rules? How did you write your app override rule? With specified source IPs or zones? In that case check if all networks are included.
11-09-2016 04:12 AM - edited 11-09-2016 06:16 AM
ah yes that's it.
I'm new to PA and the company and I haven't known the override rules before.
Thanks.
PS: Could you please explain me when to use App Override?
11-10-2016 12:04 AM
You use App Override when you want to recognise application by IP addresses and ports it uses. Especially for internaly developed apps which PA doesn't know anything about.
Let's say you have an application which your company developed for internal use only and it's on IP address 10.10.10.111:4443. As nobody outside your company knows this app PA will recognise it either as unknown-tcp or maybe ssl (if it's https app). But to get rid of unkownw apps in your logs you'll create a new application 'MyOwnApp' and use app overrride to tell FW to mark all traffic going to 10.10.10.111 port 4443 as 'MyOwnApp'.
Another way would be to create a proper 'MyOwnApp' with signatures (app behavior, traffic patterns...) which would recognise this app by it's characteristics. But it's MUCH more work.
11-10-2016 07:19 AM
I understand!
But could I also define the ports in a service object and define a rule with the service?
Instead of creating a custom app with override rules?
If that is also possible, what would be the benefit of using an custom app with override rules than a rule with service object?
11-10-2016 11:10 PM
Service object has nothing to do with application recognition.
Yes, you can use it in firewall rules to open path. But PA will try to recognise application regardless of which port it uses or which service object was used in rule.
11-10-2016 11:24 PM
So you would prefer to always create a custom app when there is unrecognised traffic and create an associated override rule?
11-10-2016 11:44 PM
Well it's a good idea to get rid of unknown traffic in your network. So yeah, I'd make app override rules for traffic you know.
11-11-2016 05:08 AM
Hi santonic!
I have a new situation at the moment.
We are getting installed a new pc which establishes a connection via s-tunnel to the internet.
The Palo Alto does not recognize this traffic.
S-tunnel uses tcp ports 2424,3131,3132.
So what do I have to do to create this custom app?
Under "advanced" I have to add the tcp ports.
Under "configuration" a name and description.
But what about category, subcategory, technology and risk?
and the characteristics?
What do I have to configure there?
Or doesn't it matter?
11-11-2016 06:25 AM
Doesn't recognise it? I guess it's recognised as SSL?
How do you want to make it? As app or with app override? The diference in this case would be; if you add port info to app signature all sessions on that port would be recognised as this app. If you use app override you can specify destination address as well so only traffic on that port to that specific IP is recognised as this app.
Category, subcategory, technology... only matter if you have some rules based on app filters. And when making reports based on this attributes.
Btw I don't get this scenario; why would local user connect to some internet server on these ports? As far as I understand stunnel it's only for enabling SSL connections on servers which don't support SSL (https://en.wikipedia.org/wiki/Stunnel)? But surely such server would be on standard port like 443? And stunnel is not an application really, it's just implementation for SSL/TLS on devices which don't support it yet. So PA recognising it as SSL is accurate info imo.
11-13-2016 07:52 PM
Hi,
Why did you create a custom app in the first place? Matlab uses FlexNet for floating licenses, so it's normal for the flexnet-publisher app to show up in your logs.
Benjamin
11-15-2016 11:43 PM - edited 11-15-2016 11:43 PM
I tried it, but it didn't work for me.
The clients always did a connection on port 27001.
the fw recognised it as flexnet-pusblisher, but the standard port of flexnet-pusblisher is 27000.
So the traffic was always denied.
11-15-2016 11:57 PM
in our library there is a book scanner which transfers data over this stunnel over the internet to a library information database.
The fw recognize it as app "ssl", you are right.
But the destination port stunnel uses is 2424.
How should I set it up in the fw?
11-16-2016 07:25 AM
Hi,
We use a lot of Flexnet licenses at our university, and I can tell you that most of our licenses don't use the default ports defined by Palo Alto Networks. Normally, each license server uses 2 ports which are defined in the license file, so you could just define a new service for those 2 ports and use that in the rule.
Benjamin
11-17-2016 12:43 AM
In firewall make a specific rule; from book scanner IP, to library IP, SSL, port 2424, allow and you're done.
Don't think you will gain any useful info if you mark this traffic as s-tunnel.
But if you want to to mark it as s-tunnel; make a new app s-tunnel, tick properties which describe it best and then make app override to library IP on port 2424 as this app. In this case you will need to change the app in fw rule as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
