So the release notes for 7.1 say that "When you configure a Security policy rule with the Application setting Any and the Service setting application-default, all applications are now permitted only on their standard ports as defined in Palo Alto Networks Applipedia." I thought that was the case previously but that is not the point of this post.
What I found is that when using a policy with the Application set to any and the Service set application-default, traffic matches the policy and is allowed and shows in the traffic log as allowed and matching that policy. However, the traffic doesn't work. This has been the case on apple devices with gmail in the mail app. Created a new policy matching gmail-base with service set to any allows the traffic to match and now works. This is also the case with other apple devices with other apps.
Perhaps it seems that the application is not being identified while using application-default? I don't know. If traffic is matching the any Application setting but the application is not sending over on default application ports, why does this create a policy match rather than letting the traffic be further check for a more specific policy? If this traffic matches a policy set to allow, then why is the traffic essentially blocked or denied without an accompanied log showing that the traffic is being blocked?
Anyone else having this experience on 7.1.x?
Apple's services use SSL on NON-STANDARD ports (aka NOT 443); Services such as apple mail and different things like that.
- monitor the sessions from a SSH session (putty) and try to find traffic that has a State of DISCARD
> show session all filter state DISCARD
- modified the policy that is dropping the traffic and change the policy's service to ANY or the specified service rather than APPLICATION-DEFAULT
- we can also use the report in the ACC tab to get more information about traffic using non-standard ports: (ACC > Threat Activity > Applications Using Non Standard Ports | Rules Allowing Apps On Non Standard Ports)
Hope this post helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!