This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Traffic Question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic Question

DaveCorwin
Not applicable

‎05-12-2014 06:43 AM

I have a customer who is unable to access a site over port_873. When searching the traffic I see that the Source IP to Destination IP are being allowed over port 873 but the application is showing as incomplete. Now, I understand that this indicates that the handshake is not being completed most likely due to the distant end, but there are still some anomalies that have me scratching my head.

The rule that I see this traffic hitting:

Source Zone:: Inside    Source: Any   Destination Zone: Outside   Destination: Any   Application: SSL, Web-browsing   Service: Any

My question:

Why would this traffic be hitting this rule when it is over port_873? Could it be that the traffic initially starts as 80/443 and then converts to 873?

Port_873: rsync file synchronisation protocol (official)

0 Likes Likes
3 REPLIES 3

ZackCamp
L0 Member

‎05-12-2014 09:59 AM

David,

It could also be that the handshake is completed. However, there may not be enough data in the bytes written to the firewall for the Palo Alto to correspond to an application. RSYNC uses SSL encrypt and is typically initiated via SSH.

HULK
L7 Applicator

‎05-12-2014 11:04 AM

Hello Dave,

While you will initiate a connection for RSYNS application, the first few packets will choose the first available policy in the same direction, regardless of the application defined in the security-policy.  As soon as PAN firewall identifies the application signature of the packet ( App-ID), then it will switch into the appropriate security policy.

If you enable logging  session for  "Log at session start" in the security policy, it will be able to see the same behavior in traffic logs.

Hope this helps.

Thanks

pulukas
L7 Applicator

‎05-18-2014 04:42 AM

As Hulk mentions, the session starts with the first possible rule match.  In your case that is the application ssl rule.

You should reorder you security policy list so that the specific rules like this one for the vpn appear first on the list.  This prevents the application based rules from accidentally kicking in on the traffic as is apparently happening here.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 2243 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks