Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

traceroute application allows tcp port 80

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

traceroute application allows tcp port 80

L4 Transporter

Hi,

Received a call from a client said their external scanner shows their servers behind the firewall allows tcp port 80 connections and able to passive finger those servers, but there is no firewall rule permit tcp port 80 to those servers.  Digging it deeper, found one of the rule allows traceroute application with application default which allows icmp/dynamic, tcp/80, udp 33434-33534. 

Screen Shot 2013-10-28 at 5.48.47 PM.png

I can understand icmp/dynamic and udp 33343-33534 portion, but why allow tcp port 80??

The interesting parts are,

1.  You can't use the traceroute as application and define your own services, since services in 5.0 does not support icmp.

2.  In most *nix system, you can customize traceroute to use any tcp/udp ports for probe, but why only permit tcp port 80?  Why not all tcp ports and udp ports?

How are other client dealing with this issue?  What other applications have this similar issues that we have not discovery?

Thanks,

E

5 REPLIES 5

L3 Networker

Hello, I hope port 80 is added to allow web based traceroute e.g. Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6

Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.

tcptraceroute is sometimes used when icmp and udp is blocked.

Port 80 is open is most environments

http://www.catonmat.net/blog/tcp-traceroute/

The Programm tcptraceroute uses TCP/80 as well

Manual Page - tcptraceroute(1)

Regards

Marco

ukhapre wrote:

Hello, I hope port 80 is added to allow web based traceroute e.g. Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6

Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.

Just keep this in mind, the first 8 packets will get pass the firewall until App-ID able identify the application,  that is plenty to perform passive finger printing to servers behind the firewall which may have tcp port 80 listen but you don't want the world to be able to probe it..

But why limit to only TCP 80?  Why not TCP 443 or any tcp port?   Since PAN firewall only support TCP or UDP as service,  you can't specific the service with the application.  The only way to lock it down is to use application default. 

ExclusiveNetworksGermany wrote:

tcptraceroute is sometimes used when icmp and udp is blocked.

Port 80 is open is most environments

http://www.catonmat.net/blog/tcp-traceroute/

The Programm tcptraceroute uses TCP/80 as well

Manual Page - tcptraceroute(1)

Regards

Marco

L4 Transporter

Hi 

 

I know this is an old post, but I found it as I have some odd traffic coming from an Android device, this was traceroute to the internet on port 80.

A few apps were not working and the inclusion of this in the rule did help to fix one of them, just wanted to add that I found this article from Palo on the subject

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrNCAS

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
  • 5421 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!