Traffic Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic Question

Not applicable

I have a customer who is unable to access a site over port_873. When searching the traffic I see that the Source IP to Destination IP are being allowed over port 873 but the application is showing as incomplete. Now, I understand that this indicates that the handshake is not being completed most likely due to the distant end, but there are still some anomalies that have me scratching my head.

The rule that I see this traffic hitting:

Source Zone:: Inside    Source: Any   Destination Zone: Outside   Destination: Any   Application: SSL, Web-browsing   Service: Any

My question:

Why would this traffic be hitting this rule when it is over port_873? Could it be that the traffic initially starts as 80/443 and then converts to 873?

Port_873: rsync file synchronisation protocol (official)

3 REPLIES 3

L0 Member

David,

It could also be that the handshake is completed. However, there may not be enough data in the bytes written to the firewall for the Palo Alto to correspond to an application. RSYNC uses SSL encrypt and is typically initiated via SSH.

L7 Applicator

Hello Dave,

While you will initiate a connection for RSYNS application, the first few packets will choose the first available policy in the same direction, regardless of the application defined in the security-policy.  As soon as PAN firewall identifies the application signature of the packet ( App-ID), then it will switch into the appropriate security policy.

If you enable logging  session for  "Log at session start" in the security policy, it will be able to see the same behavior in traffic logs.

Hope this helps.

Thanks

L7 Applicator

As Hulk mentions, the session starts with the first possible rule match.  In your case that is the application ssl rule.

You should reorder you security policy list so that the specific rules like this one for the vpn appear first on the list.  This prevents the application based rules from accidentally kicking in on the traffic as is apparently happening here.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2251 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!