- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2011 12:39 AM
Hello,
I have defined a rule that allow pings (using the "ping" application). However there are a lots of other applications that flows through this rule, even "web-browsing" !!!
How is this possible ?
Regards,
Laurent
11-11-2011 01:35 PM
Hi Laurent,
Can you change the service to use application default and appliction to ping and try to see what results you get.
You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.
Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?
Logs show
(1) 10.120.134.28 that uses application SiteScope Jmx collection
(2) 10.120.120.56 that uses application ping
(3) 145.232.250.140/141 that uses web-browsing
Thanks
Parth
11-11-2011 01:14 AM
Hi Laurent,
You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.
If you want to block everything except ping , you may keep an explicit deny rule at the bottom.
Thanks
Parth
11-11-2011 01:17 PM
Looking at your traffic log and the rule I would advise you to open a case with support. This merits closer examination.
Thank you,
Benjamin
11-11-2011 01:35 PM
Hi Laurent,
Can you change the service to use application default and appliction to ping and try to see what results you get.
You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.
Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?
Logs show
(1) 10.120.134.28 that uses application SiteScope Jmx collection
(2) 10.120.120.56 that uses application ping
(3) 145.232.250.140/141 that uses web-browsing
Thanks
Parth
11-15-2011 12:13 AM
Hi Parth,
Indeed, when setting service to "application-default" it's much better. No more heterogenous traffic. The only other traffic I get is "incomplete".
Thanks for your help.
However I don't really understand why application signature was not sufficient in this case...
Regards,,
Laurent
11-07-2012 03:06 AM
Hi,
Do you have any news on that topic.
We experienced the same issue here in 4.1.6 version.
regards,
Joseph
11-07-2012 03:47 AM
Are my eyes playing with me or isnt the second to last rule basically an "any any allow" (which would explain why traffic is let through) looking at the picture provided by ldormond Nov 11, 2011 10:45 AM ?
11-07-2012 04:34 AM
Yes but the rule which is matched in the log is the ping one
11-07-2012 08:24 PM
Ahh 🙂
What if you 1) ping 2) do some web-browsing (or whatever) from a srcip which belongs to grp-cisco-css towards a dstip which belongs to grp-addi-web?
Will the traffic log then (for the 2nd case above) display "Keep_Alive_CSS" as rulehit or "ALLOW ANY FROM XDMZ" (or whatever the rules are named in your case)?
Im thinking that the compiler incorrectly merged (by optimization) the "any any allow" rule with the first occurance where this srcip/dstip combo exists (like some inverse shadow rule) so the wrong rulehit is displayed (I mean security wise its correct beause you do have a "any any accept" (which in most cases is bad) but the incorrect rule is being blamed for why traffic was let through)?
11-21-2012 06:18 AM
Hi,
Thanks for your help guys, but I currently have no more access to the device.
But I had set the service to "application-default" instead of "any" as suggested by Parth and the issue was resolved.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!