06-13-2022 05:58 AM - edited 06-13-2022 06:01 AM
There is no FW policy which allows the SSL application over port TCP 27017 between the given source/destinations. In fact it shows deny in the monitor -> logs but I'm able to telnet the from the source to the destination - 172.20.249.77 over port 27017 successfully which is weird really. What could be the reason for this?Deny Logs
06-13-2022 07:51 AM
Hello,
For the Telnet traffic, which policy is allowing this, in the traffic logs? Also you can create a policy that will allow SSL over other ports, Just select SSL as the application, and then select a custom Service (port).
You will have to create the new server 27017. Just click new on the drop down.
Regards,
06-17-2022 10:01 PM
Thanks for your reply but I would like to give more clarity on my issue where telnet to 27017 works even there is no policy and it's not showing in the logs as well. It took me backwards while seeing such occurence when I did a troubleshooting.
PS : it's not allowed by any implicit policies also.
06-19-2022 03:50 PM
Hi @VivekPAN ,
Do you have other L7 rules that might allow tcp/27017 before the application is identified? When you telnet to a port, you execute the TCP 3-way handshake. This traffic may be allowed until the NGFW sees enough packets to identify the application. Once the NGFW has determined the application, it can allow or deny the traffic based upon the L7 rules. The best practice to avoid allowing these initial packets is to ensure that you set application-default as the service for your L7 rules. Then only the default ports are initially allowed. Verify you do not have an L7 rules with a service of any. For apps with non-standard ports, use a custom service.
Thanks,
Tom
06-29-2022 01:12 AM - edited 06-29-2022 01:19 AM
Hi Tom,
Thanks for your response.
1/ I don't have a firewall rule which allows the tcp/27017 at all but the telnet to the port 27017 from the source goes successful.
2, I have another query which is no way related to above query. For example, I have the below policy in place in my FW. The actual SSL application works fine from the source to the destination. But if I do a "telnet 172.1.1.2 443" from source - 10.1.1.1, the connection gets "TCP timeout" as a result. Do I need to allow "Telnet" application also in the same policy to make this work? And which means telnet'ing the destination with TCP port does not help to verify the 3-way handshake unless we don't have "telnet" app is allowed between them?
source - 10.1.1.1
destination - 172.1.1.2
destination port - 443
application - ssl
service - application-default
action - allow
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!