I'am using PAN-OS 3.0.9, and i have configured some policies in witch i allow some applications defined by application override. I noticed that in the logs associated to this policies, there are lines that are identified as "unknown-tcp" with action :"allow" and type "end", is this normal?
Normaly the firewall should not allow this connexions because they are not part of the application override, and should only allow this applications.
Any explanations please.
If there is traffic that is coming through the paloalto device that was not caught by the application override, that indicates that your application override rule does not include the criteria for for this traffic...i.e port, source/destination ip, etc.
Also if you are seeing sessions in the traffic log for unknowtcp, that same log tells you the specific rule that is allowing this traffic.
Also make sure that you do not have an allow all rule some where in your rule set that covers criteria that your application override rule does not.
In my case, the logs mention the same rule that allows the applications defined by application override. Normaly, the rule must allow only the ports/ip mentioned in the application override rule. And there is not other rule that allow the traffic marked as unknown-tcp.
Any other idea please?
In the service column i allow "any" service, in the admin guide it is recommended to not use "use application default" for user defined applications. The destination ports marked as Unknown-tcp are various (internal developement applications) and different from those defined in the application default ports definition and those defined in the application override rule.
The user guide is wrong. We can get that cleaned up. The application you are overriding to (custom or otherwise) should have a value specified as the default port. This is what "app-default" will use. Alternatively, you should put the specific port you want in the Service column. Otherwise, the system will allow traffic on other ports until it determines if it matches the specified app. For the override to work properly, the port in the override rule should match the port in the default port field of the app or a port explicitly configured in the service column.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!