07-16-2025 11:25 PM - edited 07-16-2025 11:26 PM
I work with a network scenario where we have two firewall towards the internet and the desktop PCs are behind PaloAlto as perimeter and Cisco as internal firewall, so we can compare the same traffic whether it is identified properly or not.
It seems that PaloAlto has some problem identifying traffic from Windows Push Notification Service. Not all the sessions are properly identified, many of them are simply noted as unknown-tcp. Cisco doesn't seem to have a problem, i t is logged as Microsoft WNS, but Palo Alto does. Briefly I turned off SSL Decryption and maybe more sessions have been identified this way, but is it that much difficult to have App Signature for such a widespread application? Is it OK to allow unknown-tcp traffic to pass through? Why is it risk level 1?
Does anyone else has encountered such problem? And please share your experiance.
09-09-2025 01:21 PM
Same exact issue here. No resolution on this end, unfortunately. I'm grabbing IPs from https://learn.microsoft.com/en-us/windows/apps/develop/notifications/push-notifications/firewall-all... and adding to a an unknown-tcp allow rule. It's only a temporary hack, though. The IPs can change, Microsoft says.
09-09-2025 11:06 PM
Permanently added hostname *.wns.windows.com in the SSL Decryption Exclusion and now all the sessions are properly identified. The firewall has problem with identifying it if decrypted, not with encrypted.
09-10-2025 09:19 AM
That fixed it for us @I.Stevkovski! Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
