App-IDs for SSL-Secured Versions of Well-Known Services
86718
Created On 09/25/18 17:41 PM - Last Modified 06/08/23 07:02 AM
Resolution
Details
Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall.
There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below:
- Use StartTLS which is supported by all these protocols. See http://en.wikipedia.org/wiki/STARTTLS. In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port.
- Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.
- Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic
- Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc.
See Also
How to Implement SSL Decryption
owner: savasarala