unknown-tcp / udp - please explain

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Wow nice thread there :smileyhappy: I love that kind of candid, to the point feedback :smileyhappy:

Highlighted
L3 Networker

I was really upset when I wrote that thread and I might have become too rude throughout the discussion, but I've had it with Juniper back then. Their NSM caused so much trouble it was unbelievable. Unfortunately, the same still holds true today. I just had a major crash on NSM two weeks ago from a failed DMI schema update. I love the SRX for it's concept and the beauty of Junos, but NSM is destroying that platform for me and a lot of my customers.

Anyways. This probably doesn't belong here.

Highlighted
L4 Transporter

Hey man, no need to apologize, sometimes my passion bubbles a little too close to the surface too :smileyhappy:

Highlighted
L4 Transporter

Back on topic... this is what my PA-500 just threw at me for the 'share-p2p' App-ID on PANOS 4.1.12:

VSYS1

    vsys1: Rule 'Allow all with threat' application dependency warning:

     Application 'share-p2p' requires 'unknown-tcp' be allowed

(Module: device)

Configuration committed successfully

So yes, the original poster (cryptochrome) was correct in saying that for certain App-IDs, 'unknown-tcp' needs to be turned on. And I completely agree with him that "that's messed up" - I have to turn on 'unknown-tcp' for certain App-IDs to work? Say what?

Highlighted
L3 Networker

Yep. That's what worries me too. In PanOS 5.0 these dependencies are automatically resolved (so you actually never see what the firewall is really opening up). says that it will never be unknown-tcp that would be resolved, but why did 4.x need unknown-tcp and 5.0 does not? Where is this documented? I find this really scary.

Highlighted
L3 Networker

From PAN-EDU-201 v.5 rev A MOD 4 APP-Id slide 26

PAN-OS implicitly allows parent applications for a set of commonly used applications


Requiring that dependencies be allowed in order to enable an application can often allow more traffic than intended. For example, enabling access to web-browsing just to allow facebook-base allows users to browse other sites, requiring the administrator to configure other policies to regulate this access.

PAN-OS addresses this concern by implicitly allowing dependencies for a set of commonly used applications to streamline the security policy process. Implicit permissions of a parent application are only handled if there is no match with an explicit rule.

The complete list of implicitly allowed applications can be found in Appendix B of this manual.

Appendix B

Allowed Application

• software-update apps

• business-systems apps (e.g., erp-crm, storage-backup, sharepoint)

• web-mail apps, IMs, social-networking

Implicit >> web-browsing

Apps identified in rpc decoder with a specific program ID (e.g., mount, nfs, portmapper, ibm-clearcase)

Implicit >> rpc

Apps identified in msrpc decoder with specific UUID (e.g., ms-exchange, active-directory, arcserve)

Implicit >> msrpc

msrpc

Implicit >> ms-ds-smb

ms-ds-smb

Implicit >> netbios-ss

Apps identified in rtsp decoder based on uri path in first request message (including custom apps)

Implicit >> rtsp

Apps identified in rtmp decoder based on uri path in the first request packet (e.g., bbc-iplayer)

Implicit >> rtmp, rtmpt

Media streaming apps (e.g., napster, megavideo)

Implicit >> flash

ms-rdp, msn-remote-desktop

Implicit >> t.120

Apps identified based on SSL hello or certificate in the response.

Ssh can remain in both uses-apps and implicit-uses-apps

Implicit >> ssl

yahoo-voice, gtalk-voice, msn-voice, msn-video, facetime

Implicit >> stun

several IM apps

Implicit >> jabber

gotomeeting, gotomypc, gotoassist

Customer is not expected to understand internals about Citrix ICA/Jedi

Implicit >> citrix/citrix-jedi

Never allowed unknown udp/tcp, I hope this could hlep

Highlighted
L7 Applicator

So yes, the original poster (cryptochrome) was correct in saying that for certain App-IDs, 'unknown-tcp' needs to be turned on. And I completely agree with him that "that's messed up" - I have to turn on 'unknown-tcp' for certain App-IDs to work? Say what?

This is an uncommon case.  Reading-up on Share-P2P, it looks like it's all encrypted traffic - which probably makes it impossible to create a signature-based App-ID.  I'm guessing the heuristics engine is what eventually detects this app, but until then it's identified as unknown-tcp.  I'm not aware of any "business"-class apps that require unknown-tcp to also be allowed. 

If you really must use this in your environment, then it would probably be a good idea to limit its use to specific users/computers/zones. 

Highlighted
L4 Transporter

jvalentine wrote:

If you really must use this in your environment, then it would probably be a good idea to limit its use to specific users/computers/zones. 

Honestly you're right, I don't have a business use case for this one. It was just an observation (I happened to be building an App-ID filter for Breaking Point testing I'm doing and I noticed that warning when I pushed the commit job)

Highlighted
L3 Networker

Thanks . What I still don't understand after reading this:

Say I have a rule base that does not allow web-browsing at all. Now I add a rule that allows facebook-base. Since facebook-base also needs web-browsing, it resolves this dependency and invisibly adds we-browsing to the facebook-base rule. So I now have a rule that allows web-browsing plus facebook-base. Does that mean that any web-browsing to any destination is now allowed? Or ist it smart enough to actually only allow web-browsing to facebook?

Highlighted
L7 Applicator

Say I have a rule base that does not allow web-browsing at all. Now I add a rule that allows facebook-base. Since facebook-base also needs web-browsing, it resolves this dependency and invisibly adds we-browsing to the facebook-base rule. So I now have a rule that allows web-browsing plus facebook-base. Does that mean that any web-browsing to any destination is now allowed? Or ist it smart enough to actually only allow web-browsing to facebook?

With 5.0, PAN-OS only allows just enough web-browsing in order to enable facebook-base.  It won't permit other non-facebook web-browsing activities.

This type of rule was also possible with 4.1, but was a major pain.  You had to create a custom URL category that contained things like facebook.com, *.facebook.com, fbcdn.com, etc. etc.  Then you needed two firewall rules:

- from trust to untrust application=web-browsing SERVICE/URL CATEGORY="new custom FB category" action=allow

- from trust to untrust application=facebook-base action=allow

The first rule allowed web-browsing only to domains listed in that custom category, which would be enough to let the App-ID shift into facebook-base.  The 5.0 code does the same thing, but without the complexity.

(Coincidently, this is one of those few times where it is extremely useful to use URL CATEGORY as match criteria in the firewall rule.)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!