App-IDs for SSL-Secured Versions of Well-Known Services

Details

Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall.

There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below:

1. Use StartTLS which is supported by all these protocols. See http://en.wikipedia.org/wiki/STARTTLS. In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port.
2. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.
3. Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic
4. Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc.

See Also

How to Implement SSL Decryption

owner: savasarala