- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-09-2022 07:25 AM
Hello,
I have been working with Cisco firewalls for the last 20 years, but I'm very new with Palo Alto and PANOS.
At the moment I have a PA-460 in my lab for learning purpose.
It's a basic setup with just a simple NAT/PAT rule for outgoing traffic to Internet and some basic access rules.
Most things are working great, but I'm having some issues with a newsreader application (SABnzbd) that I'm running on a Synology NAS.
The newsreader application cannot download any files and in the traffic monitor, I see either incomplete or insufficient-data.
This application has been working without any issues when using a Cisco Firepower FTD firewall, so I am trying to figure out what can be wrong.
The newsreader is using TCP port 563 (which is the default port for NNTP protocol over TLS/SSL). If I change the port to 443, everything is working and I can now download files.
Does anyone know why I'm not able to use port 563 and how I can fix this?
Thanks
/Jorgen
11-13-2022 12:43 PM
Hi @jorgenfrejso ,
You probably have your service in your security policy rules set to application-default. With any protocol that runs over TLS (LDAPS, NNTP, etc.), the protocol is encapsulated within TLS. Without decryption, the NGFW only sees TLS. The default port for the App-ID "ssl" is 443, and that is the only port that TLS will be allowed to pass through the NGFW if the service is set to application-default.
You can do a quick test. Change the service to any and see if it works.
If you enable logging on the interzone-default rule, you should see the traffic hit that rule under Monitor > Logs > Traffic. Just like the other firewalls you have experience, if it hits the default drop then it didn't match any rules.
Note: Monitor > Logs > Traffic only shows sessions that have ended if you have Log at Session End configured for your rules, which is the best practice. Active sessions are found under Monitor > Session Browser. If you do not have any logging configured for rules, they will not show up under the Monitor tab.
Thanks,
Tom
11-11-2022 02:27 PM
Hi @jorgenfrejso , hope all is well! For next steps I would recommend setting up packet filters for the traffic in question and then collecting a packet capture and the global counters from the cli. You can use the following commands on the cli:
debug dataplane packet-diag set filter match source <synology ip> destination-port 563
debug dataplane packet-diag set filter match destination <synology ip> source-port 563
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture stage receive file rxtx.pcap
debug dataplane packet-diag set capture stage transmit file rxtx.pcap
debug dataplane packet-diag set capture stage drop file dp.pcap
debug dataplane packet-diag set capture stage firewall file fw.pcap
debug dataplane packet-diag set capture on
show counter global filter packet-filter yes
****Start Test Traffic***
debug dataplane packet-diag show filter-marked-session
show session id <id from above output>
show counter global filter packet-filter yes delta yes <------ Run this command once every 5-10 seconds for 3 intervals (or until the test is complete)
debug dataplane packet-diag set capture off
**copy the output from the global counters command to a notepad file**
download the packet captures from the gui by navigating to Monitor > Packet Capture
screenshots of your security policy rulebase would be helpful as well
11-12-2022 10:49 AM
Hi @MIST3R_VIRTS3C Thank you for the suggestions.
I will try the packet filters as soon as I get access to my lab and I'll let you know the results.
/Jorgen
11-13-2022 12:43 PM
Hi @jorgenfrejso ,
You probably have your service in your security policy rules set to application-default. With any protocol that runs over TLS (LDAPS, NNTP, etc.), the protocol is encapsulated within TLS. Without decryption, the NGFW only sees TLS. The default port for the App-ID "ssl" is 443, and that is the only port that TLS will be allowed to pass through the NGFW if the service is set to application-default.
You can do a quick test. Change the service to any and see if it works.
If you enable logging on the interzone-default rule, you should see the traffic hit that rule under Monitor > Logs > Traffic. Just like the other firewalls you have experience, if it hits the default drop then it didn't match any rules.
Note: Monitor > Logs > Traffic only shows sessions that have ended if you have Log at Session End configured for your rules, which is the best practice. Active sessions are found under Monitor > Session Browser. If you do not have any logging configured for rules, they will not show up under the Monitor tab.
Thanks,
Tom
11-15-2022 04:49 AM
Thanks Tom,
You are probalby right about the security policy rules is set to application-default. I noticed a similair issue with IMAP over SSL. I will test to change it to any and let you know the result.
/Jorgen
11-15-2022 06:57 AM
I can confirm that NNTPS and IMAP over SSL are working when change the service from application-default to any.
I also noticed the option to specify custom applications and ports but is there a way to add ports to the application-default? Or can I make a clone of it and add the ports I need?
Thanks
/Jorgen
11-15-2022 07:06 AM
Hi @jorgenfrejso ,
You are correct. You cannot have a rule with application-default and specific ports. You are also correct that it is a good idea to clone the rule and have 2 rules - 1 with application default and 1 with specific ports. In this case since "ssl" only has the default port of tcp/443, I would change application-default to those 3 ports - tcp/443, tcp/563, and tcp/993.
If you left the rule with "ssl" and any for the services, the security rule would allow a few packets on all ports until the application is identified. This method is the least secure.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!