- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-12-2014 06:43 AM
I have a customer who is unable to access a site over port_873. When searching the traffic I see that the Source IP to Destination IP are being allowed over port 873 but the application is showing as incomplete. Now, I understand that this indicates that the handshake is not being completed most likely due to the distant end, but there are still some anomalies that have me scratching my head.
The rule that I see this traffic hitting:
Source Zone:: Inside Source: Any Destination Zone: Outside Destination: Any Application: SSL, Web-browsing Service: Any
My question:
Why would this traffic be hitting this rule when it is over port_873? Could it be that the traffic initially starts as 80/443 and then converts to 873?
Port_873: rsync file synchronisation protocol (official)
05-12-2014 09:59 AM
David,
It could also be that the handshake is completed. However, there may not be enough data in the bytes written to the firewall for the Palo Alto to correspond to an application. RSYNC uses SSL encrypt and is typically initiated via SSH.
05-12-2014 11:04 AM
Hello Dave,
While you will initiate a connection for RSYNS application, the first few packets will choose the first available policy in the same direction, regardless of the application defined in the security-policy. As soon as PAN firewall identifies the application signature of the packet ( App-ID), then it will switch into the appropriate security policy.
If you enable logging session for "Log at session start" in the security policy, it will be able to see the same behavior in traffic logs.
Hope this helps.
Thanks
05-18-2014 04:42 AM
As Hulk mentions, the session starts with the first possible rule match. In your case that is the application ssl rule.
You should reorder you security policy list so that the specific rules like this one for the vpn appear first on the list. This prevents the application based rules from accidentally kicking in on the traffic as is apparently happening here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!