10-28-2013 05:59 PM
Hi,
Received a call from a client said their external scanner shows their servers behind the firewall allows tcp port 80 connections and able to passive finger those servers, but there is no firewall rule permit tcp port 80 to those servers. Digging it deeper, found one of the rule allows traceroute application with application default which allows icmp/dynamic, tcp/80, udp 33434-33534.
I can understand icmp/dynamic and udp 33343-33534 portion, but why allow tcp port 80??
The interesting parts are,
1. You can't use the traceroute as application and define your own services, since services in 5.0 does not support icmp.
2. In most *nix system, you can customize traceroute to use any tcp/udp ports for probe, but why only permit tcp port 80? Why not all tcp ports and udp ports?
How are other client dealing with this issue? What other applications have this similar issues that we have not discovery?
Thanks,
E
10-29-2013 07:01 PM
Hello, I hope port 80 is added to allow web based traceroute e.g. Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6
Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.
10-30-2013 07:00 AM
tcptraceroute is sometimes used when icmp and udp is blocked.
Port 80 is open is most environments
http://www.catonmat.net/blog/tcp-traceroute/
The Programm tcptraceroute uses TCP/80 as well
Manual Page - tcptraceroute(1)
Regards
Marco
10-30-2013 08:05 AM
ukhapre wrote:
Hello, I hope port 80 is added to allow web based traceroute e.g. Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6
Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.
Just keep this in mind, the first 8 packets will get pass the firewall until App-ID able identify the application, that is plenty to perform passive finger printing to servers behind the firewall which may have tcp port 80 listen but you don't want the world to be able to probe it..
10-30-2013 08:07 AM
But why limit to only TCP 80? Why not TCP 443 or any tcp port? Since PAN firewall only support TCP or UDP as service, you can't specific the service with the application. The only way to lock it down is to use application default.
ExclusiveNetworksGermany wrote:
tcptraceroute is sometimes used when icmp and udp is blocked.
Port 80 is open is most environments
http://www.catonmat.net/blog/tcp-traceroute/
The Programm tcptraceroute uses TCP/80 as well
Manual Page - tcptraceroute(1)
Regards
Marco
12-28-2022 02:51 AM
Hi
I know this is an old post, but I found it as I have some odd traffic coming from an Android device, this was traceroute to the internet on port 80.
A few apps were not working and the inclusion of this in the rule did help to fix one of them, just wanted to add that I found this article from Palo on the subject
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrNCAS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
