I've got a rule that allows the following applications from any source in our trusted zone out to any destination in the untrust zone. appdynamics dns-over-https dns-over-tls github ms-delve net.tcp ntp ocsp okta paloalto-updates paloalto-wildfire-cloud pan-db-cloud rtcp service-now skype ssh windows-azure windows-push-notifications The rule is set for application-default. We have some legitimate traffic on our network that goes from trust to untrust with the destination port of tcp/37. For some reason, this traffic is matching up to this rule. None of the applications in the rule list tcp/37 as a default port. Only two of those applications (skype and net.tcp) have dynamic default ports. When the tcp/37 traffic hits this rule, the application always shows up as "insufficient-data" I know what the traffic is - it is supposed to be the old "TIME" protocol. I've actually created a rule specific for this further down the list. Any idea why the traffic would match up to this rule?
... View more
I know the question about how to set Reconnaissance Protection thresholds has been asked dozens of times. The answer is always "it depends on your environment and situation". I understand that there can't be a one-size fits all best practice. It seems as though a trial-and-error approach is how you should dial in the thresholds and intervals. But are there any unique factors that should be taken into consideration that could give you a general idea rather than taking shots in the dark? Like how many different hosts and services are accessible from that zone? Average connections per second? Frequency of any types of events in the threat logs?
... View more