"paloalto-userid-agent" is identified as "ssl" after PAN-OS upgrade to 10.2

"paloalto-userid-agent" is identified as "ssl" after PAN-OS upgrade to 10.2

2500
Created On 12/27/23 11:03 AM - Last Modified 04/01/24 21:29 PM


Symptom


  • User-ID Redistribution stops working after upgrade to PAN-OS 10.2.x
  • Traffic logs display the "paloalto-userid-agent" application identified as "ssl" application.
  • Thus user-id traffic fails to match the correct security policy with "paloalto-userid-agent" configured as App ID.

Environment


  • Firewall upgrade to PAN-OS 10.2.x
  • User-ID Redistribution
  • Security Policies enforcing "paloalto-userid-agent" Application

Cause


  • PAN-OS 10.2 uses TLS version 1.3, where the server certificate and all handshake messages after the "Server Hello" message are encrypted.
  • "paloalto-userid-agent" use values within the Certificate message for identification, which is encrypted with TLSv1.3.
  • Thus the Application is no longer identified as "paloalto-userid-agent", but as "ssl".

Resolution


  1. Reconfigure the Security Policies with "paloalto-userid-agent" app-id, to allow "ssl".
  2. Commit the configuration.

Additional Information


Product Management teams are looking for different solutions so we can continue to use more specific Applications like "paloalto-userid-agent".

Why is traffic on port 3978 Identified as SSL application instead of Panorama application?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhNgCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail