This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Upgrade to 7.1.6 application-default issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Upgrade to 7.1.6 application-default issue

jtuten
L0 Member

‎01-10-2017 01:38 PM

So the release notes for 7.1 say that "When you configure a Security policy rule with the Application setting Any and the Service setting application-default, all applications are now permitted only on their standard ports as defined in Palo Alto Networks Applipedia." I thought that was the case previously but that is not the point of this post.  

 

What I found is that when using a policy with the Application set to any and the Service set application-default, traffic matches the policy and is allowed and shows in the traffic log as allowed and matching that policy.  However, the traffic doesn't work.  This has been the case on apple devices with gmail in the mail app.  Created a new policy matching gmail-base with service set to any allows the traffic to match and now works.  This is also the case with other apple devices with other apps.

 

Perhaps it seems that the application is not being identified while using application-default? I don't know.  If traffic is matching the any Application setting but the application is not sending over on default application ports, why does this create a policy match rather than letting the traffic be further check for a more specific policy?  If this traffic matches a policy set to allow, then why is the traffic essentially blocked or denied without an accompanied log showing that the traffic is being blocked? 

 

Anyone else having this experience on 7.1.x? 

 

0 Likes Likes
1 REPLY 1

JDominguez
L2 Linker

‎01-13-2017 10:40 AM

Apple's services use SSL on NON-STANDARD ports (aka NOT 443); Services such as apple mail and different things like that. 

 

- monitor the sessions from a SSH session (putty) and try to find traffic that has a State of DISCARD

> show session all filter state DISCARD


- modified the policy that is dropping the traffic and change the policy's service to ANY or the specified service rather than APPLICATION-DEFAULT


- we can also use the report in the ACC tab to get more information about traffic using non-standard ports: (ACC > Threat Activity > Applications Using Non Standard Ports | Rules Allowing Apps On Non Standard Ports)

 

Hope this post helps.

 

Regards,

 

-JD

0 Likes Likes
  • 2167 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks