Palo Alto Networks Knowledgebase: App-IDs for SSL-Secured Versions of Well-Known Services

App-IDs for SSL-Secured Versions of Well-Known Services

23588
Created On 02/08/19 00:08 AM - Last Updated 02/08/19 00:08 AM
Policy
Resolution

Details

Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall.

There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below:

  1. Use StartTLS which is supported by all these protocols. See http://en.wikipedia.org/wiki/STARTTLS. In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port.
  2. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990.
  3. Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic
  4. Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc.

See Also

How to Implement SSL Decryption

owner: savasarala



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language