unknown-tcp / udp - please explain

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

unknown-tcp / udp - please explain

Hi,

I know that these two applications stand for unrecognized traffic. It worries me though that for some of the other applications to work, I have to add unknown-tcp/udp to the firewall rule. Example for this would be Bittorrent traffic. To allow Bittorrent, I also have to allow web-browsing and unknown-tcp and unknown-udp.

Can someone please elaborate on this? If I only want to allow Bittorrent, but also add web-browsing and unknown-tcp, I will open up the firewall for unwanted traffic. I really have a hard time understand this concept.

Thanks

Tags (2)

Accepted Solutions
Highlighted
L3 Networker

I quote what is reported in PANOS v.5 release note:

Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies.

This means that few applications can use this enchantment and you never allow unwanted applications. Be aware of how PA recognize application: for example application facebook relies on web-browsing because before facebook the frewall recognize in fact web-browsing app. So the programmer ask themself why not having an implicit application allowing?

Please do not mix together app and service (ports) these are different variables in security rules, as an advice try to use always application defaults as policy enforcement.

If you keep log option for security rule you are always able what traversed the firewall. Also always in session browser (cli/gui) you can see which kind of app traffic is flowing even with a permit all policy, this is the strength of these devices.

View solution in original post


All Replies
Highlighted
L4 Transporter

Allowing unknown-tcp/udp to allow BitTorrent traffic should not be required.  On my device I have utilized BitTorrent with and without encryption over the last few weeks and the traffic logs show that none of the sessions are being identified as unknown-tcp/udp.  It's possible this issue is specific to the torrent you are accessing. 

The web-browsing component could be required for the tracker communication which can utilize HTTP. 

If you see this issue on the latest content then I would recommend opening a support case for investigation.

Highlighted
L3 Networker

Bittorent doesn't depend on unknown tcp/udp, only web-browsing on tcp/udp dynamic ports. If you have 5.0.x this dependence is already done, otherwise a rule has to be inserted for allowing web-browsing before bittorent.

Verify the app dynamic update (latest 373-1793) and in case of other error/warning  during commit also I suggest opening a support case.

Highlighted
L3 Networker

Ok, you are right, there are no warnings anymore about uknown-tcp on commit. However, you are saying that 5.0 automatically resolves those dependencies, does that mean it will actually include the needed services without me specifying them in the rule? That would mean it will still open unknown-tcp/udp.

Bittorrent was just an example. I've seen this dependency with other apps as well. If other apps rely on unknown-tcp/udp, doesn't that make the whole thing completely insecure? I am opening up the firewall for unknown traffic.

Highlighted
L3 Networker

In PANOS 4.x all application dependencies have to be explicit allowed in security rules, otherwise warning during may appear and related application could not work properly. Sometimes in large scale this requirement could be annoying or worse.

Version 5.0.x changes this behavior allowing application dependencies if they are granular web-browsing, ssl, ftp and few more. Never unknown traffic, if needed, this have to be allowed with an explicit rule.

Highlighted
L3 Networker

So that means, if there are dependencies:

   1.) It will resolve them automatically and add the needed services, invisible to the user.

   2.) Because of that, I don't what what I actually allow through my firewall.

Excuse my ignorance, but are you guys serious?

Highlighted
L3 Networker

I quote what is reported in PANOS v.5 release note:

Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies.

This means that few applications can use this enchantment and you never allow unwanted applications. Be aware of how PA recognize application: for example application facebook relies on web-browsing because before facebook the frewall recognize in fact web-browsing app. So the programmer ask themself why not having an implicit application allowing?

Please do not mix together app and service (ports) these are different variables in security rules, as an advice try to use always application defaults as policy enforcement.

If you keep log option for security rule you are always able what traversed the firewall. Also always in session browser (cli/gui) you can see which kind of app traffic is flowing even with a permit all policy, this is the strength of these devices.

View solution in original post

Highlighted
L1 Bithead

Is this the same cryptochrome from the infamous why "NSM is a piece of crap" forum? I happened to be the first one to reply to that post.

Highlighted
L3 Networker

yep. that's the same Cryptochrome :smileygrin:

Highlighted
L6 Presenter

Slightly off-topic but I guess this is the thread you both are refering to ? :-)

Want some examples why NSM is a piece of junk? - J-Net Community

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!