App-IDs for SSL-Secured Versions of Well-Known Services

App-IDs for SSL-Secured Versions of Well-Known Services

Created On 09/25/18 17:41 PM - Last Modified 02/08/19 00:08 AM



Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall.

There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below:

  1. Use StartTLS which is supported by all these protocols. See In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port.
  2. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.
  3. Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic
  4. Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc.

See Also

How to Implement SSL Decryption

owner: savasarala

  • Print
  • Copy Link

Choose Language