This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About tezza
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About tezza
10-06-2020
25Posts
4Likes
0Solutions
Oct 06, 2020Last Visited
User
Activity
User
Profile
Latest posts by tezza
| Subject | Views | Posted |
|---|---|---|
| 2002 | 05-15-2018 09:14 PM | |
| 3611 | 11-05-2017 01:44 PM | |
| 7884 | 02-27-2017 03:48 PM | |
| 7962 | 02-23-2017 01:27 PM | |
| 8135 | 02-22-2017 11:45 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-22-2014 06:02 PM | |
| 3 Likes | 02-23-2016 05:02 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 3 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-22-2012 08:22 PM |
| Date Last Visited | 10-06-2020 06:47 AM |
| Posts | 25 |
| Total Likes Received | 4 |
02-27-2017
03:48 PM
@gwessonyou are correct we could just change the service to any but this is a security comprimise as we do have multiple application in this rule. The reason we are using application default is we need to specify the ports to adhere to our security requirements. @OtakarKlieryou are also correct as we currently have rules to allow these applications over port 443 but these rules are becoming cumbersome to manage. Update also I am told these 2 feature requests might be the fix. FR ID : 2636, this is to dynamically update the port information and allow the traffic. FR ID : 3914, Ability to Clone an existing App-ID (not custom) and change name and ports. Anyone else want to get their SE to put in a vote for these?
... View more
02-23-2017
01:27 PM
This is not my experience. We are currently running 7.0.10 in any case. I will give an example. Rule Source: Trust Zone, Specified Addresses, and Trusted User --> Destination: Untrust Zone, Any Address, Application http-video (plus other apps), Application default | Allow, with security profile enable as well. 1. User browses to a news website www.stuff.co.nz and tries to view an article with a video embedded. 2. The video uses the application http-video (Applipedia says port 80 only) but the provider of the video uses https for the link to the video which puts it on port 443. 3. The Palo alto firewall decryptes the traffic and recognises the application as http-video but the port that it is using is 443. 4. The firewall then blocks the application because the port is not the application default as its expecting port 80. Given I would prefer to decrypt this sort of traffic as otherwise it just shows as SSL rather than http-video, how would I fix this without creating new rules for each application I have this issue with?
... View more
02-22-2017
11:45 AM
After enabling decryption recently we started to have a few issues with applications being identified incorrectly. A few common examples of this are sap, http-video and http-audio These end up being blocked with "application default" for the service, this appears to be because in some instances sites use https anyway and once these apps are decrypted they show as going over port 443 rather than 80 which makes sense but is contrary to the app-id signatures default ports. I know we can create rules for applications like this to allow them specifically but this is starting to become very time consuming to create a rule for every application that has this issue. Is there a way to allow this traffic while still inspecting it with some sort of override? it feels a little like there should be a http-video (Decrypted) or https-video application. I think it would be great to be able to create an application signature that overrides default settings, this would allow you to pick pre existing application signature and override the default ports for example. We can then add this overriden application to a pre-existing rule. Is there another work around for this I have missed?
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks