unauthorized application goes to specific rule

cancel
Showing results for 
Search instead for 
Did you mean: 

unauthorized application goes to specific rule

L3 Networker

Hello,

I have defined a rule that allow pings (using the "ping" application). However there are a lots of other applications that flows through this rule, even "web-browsing" !!!

How is this possible ?

Regards,

Laurent

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Laurent,

Can you change the service to use application default and appliction to ping and try to see what results you get.

You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.

Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?

Logs show

(1) 10.120.134.28 that uses application SiteScope Jmx collection

(2)  10.120.120.56 that uses application ping

(3) 145.232.250.140/141  that uses web-browsing

Thanks

Parth

View solution in original post

10 REPLIES 10

L4 Transporter

Hi Laurent,

You should not see web-browsing as an application that uses the same security rule as the one set for allowing pings.

If you want to block everything except ping , you may keep an explicit deny rule at the bottom.

Thanks

Parth

Hello,

Thanks for your help.

I want to know why I have other applications that are matched by my ping rule. See printscreen attached.

Regards,

Laurent

Looking at your traffic log and the rule I would advise you to open a case with support. This merits closer examination.

Thank you,

Benjamin

Hi Laurent,

Can you change the service to use application default and appliction to ping and try to see what results you get.

You can set an application and then "any" service, our App-ID engine will filter based on application regardless of ports. Also, most applications have an "application default" option for service. For instance, if you set application "ssl" and selected "application default" for service, it would only allow the ssl application on port 443. If it detected ssl traffic on an irregular port it would not be processed under that rule. Likewise, if you set application to "any", you could then specify services and it would only apply the policy to those services (ports) regardless of application.

Also I see that following ip addresses come from the same zone XDMZ. Is this the intended setup?

Logs show

(1) 10.120.134.28 that uses application SiteScope Jmx collection

(2)  10.120.120.56 that uses application ping

(3) 145.232.250.140/141  that uses web-browsing

Thanks

Parth

View solution in original post

Hi Parth,

Indeed, when setting service to "application-default" it's much better. No more heterogenous traffic. The only other traffic I get is "incomplete".

Thanks for your help.

However I don't really understand why application signature was not sufficient in this case...

Regards,,

Laurent

L0 Member

Hi,

Do you have any news on that topic.

We experienced the same issue here in 4.1.6 version.

regards,

Joseph

Are my eyes playing with me or isnt the second to last rule basically an "any any allow" (which would explain why traffic is let through) looking at the picture provided by  ?

Yes but the rule which is matched in the log is the ping one

Ahh 🙂

What if you 1) ping 2) do some web-browsing (or whatever) from a srcip which belongs to grp-cisco-css towards a dstip which belongs to grp-addi-web?

Will the traffic log then (for the 2nd case above) display "Keep_Alive_CSS" as rulehit or "ALLOW ANY FROM XDMZ" (or whatever the rules are named in your case)?

Im thinking that the compiler incorrectly merged (by optimization) the "any any allow" rule with the first occurance where this srcip/dstip combo exists (like some inverse shadow rule) so the wrong rulehit is displayed (I mean security wise its correct beause you do have a "any any accept" (which in most cases is bad) but the incorrect rule is being blamed for why traffic was let through)?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!