This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Windows-Remote-Management & Implicit Use of Web-Browsing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows-Remote-Management & Implicit Use of Web-Browsing

Brandon_Wertz
L6 Presenter

‎12-24-2025 09:57 AM - edited ‎12-24-2025 10:00 AM

I need your help with understanding this. 

 

We've got a rule that was intermittently working.  We built a rule around the use of "windows-remote-management" which is using the standard port of 5985/tcp.  The rule is a service "application-default" rule.

 

When we look through the logs we see that some of the traffic that should be matching this rule is not matching this rule and is being denied.  It's being denied because "web-browsing" is being seen over port 5985.

 

I understand that the app-default port for web-browsing is 80/tcp, but given that the App-ID WRM was created to use the standard default port 5985, shouldn't web-browsing which is implicitly allowed on this app-id follow the default port of 5985?

 

I've got an active support case on this topic, and TAC is telling me that is not the way it works, but this just doesn't make sense to me.  TAC is saying that eventhough web-browsing is implicitly allowed in the WRM app-id since web-browsing is being seen on the non-standard port of 5985 the traffic should be blocked.

 

If I build a rule intending to allow only "Windows Remote Management" and this traffic occurs over 5985/tcp shouldn't any other associated traffic also work and be allowed?  To me the implicit association of web-browsing with WRM is never going to work, w/o the rule being a service "any" rule.  Meaning web-browsing should be a "depends-on" and not an "implicit use" application.

 

Brandon_Wertz_0-1766598734776.png

 

0 Likes Likes
1 REPLY 1

emr_1
L5 Sessionator

‎12-24-2025 10:39 PM

I agree with you, and TAC is wrong.

If I configured a rule as below:

2025-12-25 15 29 20.png

 

The rule on the box is recognized as below:

)> show running security-policy

"test; index: 1" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
source-device any;
destination-device any;
source-advanced-device any;
destination-advanced-device any;
category any;
application/service [0:windows-remote-ma/tcp/any/5985 1:windows-remote-ma/tcp/any/5986 ];
application/service(implicit) [0:web-browsing/tcp/any/5985 1:web-browsing/tcp/any/5986 ];
action allow;
icmp-unreachable: no
terminal yes;
}

 

As you know, "web-browsing/tcp/any/5985" is "application/protocol/source-port/dest-port".

 

By the way, I found issue from release note.

===

PAN-194408

Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.

===

 

Even I don't know which version you are using, you should check you are hitting this or not.

I can find this bug-id on 10.1.6-h3, 10.1.7,10.2.3 release note

0 Likes Likes
  • 118 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks