Why does traffic log show Application for a rule that uses a Service?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Why does traffic log show Application for a rule that uses a Service?

L4 Transporter

Hello folks,

 

I am doing some testing (studying) on using Applications vs Services and have a question about the traffic log.

 

Why does the traffic log identify the traffic and rule to an Application when the rules are setup as Service?

 

My rules are setup as Service.

fwapps.jpg

 

Traffic log identifies them as Applications.

fwapps3.jpg

 

Is it because Applications are set to any?

I assuming that even though the Traffic log identifies an application, the traffic is not inspected as so (Layer 7)?

 

1 accepted solution

Accepted Solutions

L7 Applicator

Layer 7 inspection happens on all sessions to a degree. An exception would be if you created an application override policy that would prevent it.

 

Your rules are port-based, but App-ID is still functioning. The application won't be taken into account when processing the rules, and with your profiles set to none it will not be doing any threat scanning on the traffic hitting those rules, but App-ID is still active.

 

Regards,

Greg

View solution in original post

8 REPLIES 8

L7 Applicator

Layer 7 inspection happens on all sessions to a degree. An exception would be if you created an application override policy that would prevent it.

 

Your rules are port-based, but App-ID is still functioning. The application won't be taken into account when processing the rules, and with your profiles set to none it will not be doing any threat scanning on the traffic hitting those rules, but App-ID is still active.

 

Regards,

Greg

L6 Presenter

Palo does APP-ID and it based on the traffic which is passing through. If you specify app as "any" and the services as http or RDP in the security policy, palo will scan all traffic that is matching this policy. Based on the allowed port (services) it will identify application using app-id future (based on signature, port number etc). So Palo always does L7 inspection unless you do app-override, then it is only up to L4 (TCP/UDP port numbers).

@gwesson took me a bit longer to finish my post 😉

@TranceforLife Every once in a while I can be a post ninja, but you usually beat me 🙂

Recently spending too much time next to the pc. Not good 😞

Thank guys! 

 

So what if the traffic does not match an application in the database (when set to any)?

Does it just take the service port route and then skip Layer 7 inspection and stay at Layer 4?

Nope, every initial packet will get Layer 7 inspection. It makes sense if you know the flow - if it has enough information to know it doesn't match any app, then it's already done the L7 inspection.

 

If no app is matched, you'll see the app listed as "unknown-tcp" or "unknown-udp" depending on the underlying protocol. That is fairly rare though, as the app-id database is pretty expansive.

Thank you!

  • 1 accepted solution
  • 3799 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!