04-03-2013 12:14 AM
Hello.
I checked that ms-dtc standard port is tcp 139 on applipedia. I created couple of security rule for ms-dtc app-id and one was applied application-default at service column and other was applied specific service port tcp-49210, tcp-49217, tcp-49291.
Unfortunately PAN warned shadowing rule for above security rules.
I believe that ms-dtc app-id has not only tcp-139 and have a any other or more ports applied.
Please let me know what is standard port of ms-dtc app-id.
Thanks.
04-03-2013 12:58 AM
By the way, shadowing rule sounds odd when you use appid's.
Are you sure that none of the above dependencies isnt already used in the other rules?
In PANOS 5.0 PAN did some work regarding dependencies so one doesnt (in many cases) have to manually add all dependencies needed which gives that your previous workaround of manually added appid's (dependencies) can now be removed if you use 5.0 or newer.
04-03-2013 12:43 AM
ms-dtc use tcp/135 as standard port according to applipedia Application Research Center
However its dependent on msrpc, netbios-ss, ms-ds-smb which use:
msrpc
Standard Ports: tcp/dynamic, udp/dynamic
Depends on: ms-ds-smb, netbios-ss
netbios-ss
Standard Ports: tcp/139
ms-ds-smb
Standard Ports: tcp/445,139, udp/445
Depends on: netbios-dg, netbios-ss
netbios-dg
Standard Ports: udp/138
so I guess its not the ms-dtc itself that creates the shadowed rule but the dependency towards msrpc...
04-03-2013 12:58 AM
By the way, shadowing rule sounds odd when you use appid's.
Are you sure that none of the above dependencies isnt already used in the other rules?
In PANOS 5.0 PAN did some work regarding dependencies so one doesnt (in many cases) have to manually add all dependencies needed which gives that your previous workaround of manually added appid's (dependencies) can now be removed if you use 5.0 or newer.
04-03-2013 01:19 AM
Thanks.
PANOS 5.0.x is installed on my device that makes warn shadowing rule caused you mentioned. It's a cool enhanced app-id!!!. Many Thanks.
Application Dependency Enhancement – For some protocols, you can allow an application in security policy without
explicitly allowing its underlying protocol. This support is available if the application can be identified within a predetermined point in the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC,
t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be
allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java
software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce
the overall number of rules needed to manage policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
