NTP traffic misidentified as dns-base if source port is UDP/5353

NTP traffic misidentified as dns-base if source port is UDP/5353

1054
Created On 06/05/23 14:32 PM - Last Modified 06/04/25 19:27 PM


Symptom


  • NTP traffic sourced from UDP/5353 is denied.
  • Session info shows the session as DISCARD.
  • Note that the destination port is UDP/123 which is the service port for NTP.
> show session all
---------------------------------------------------------------------------
ID     Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                     Dst[Dport]/Zone (translated IP[Port])
---------------------------------------------------------------------------
166     dns-base       DISCARD FLOW       10.179.74.150[5353]/Client/17  (10.179.74.150[5353])
vsys1                                     10.126.8.204[123]/Server  (10.126.8.204[123])
  • Detailed session info shows the traffic being blocked due a threat being detected
> show session id 166

Session             166

        c2s flow:
                source:      10.179.74.150 [Client]
                dst:         10.126.8.204
                proto:       17
                sport:       5353            dport:      123
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      10.126.8.204 [Server]
                dst:         10.179.74.150
                proto:       17
                sport:       123             dport:      5353
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Tue May  9 11:56:18 2023
        timeout                              : 60 sec
        time to live                         : 47 sec 
        total byte count(c2s)                : 90
        total byte count(s2c)                : 90
        layer7 packet count(c2s)             : 1
        layer7 packet count(s2c)             : 1
        vsys                                 : vsys1
        application                          : dns-base  
        rule                                 : Client-to-Server-any
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        layer7 processing                    : completed
        URL filtering enabled                : False
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        session terminate tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/1
        egress interface                     : ethernet1/2
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : mitigation tdb drop all
        end-reason                           : threat


 

Environment


  • PANOS-10.1.9-hx
  • Palo Alto 5450 Firewalls
  • Content version: 8705-8026

Cause


DNS decoder fails to the call the NTP decoder after determining that the traffic is not DNS.

Resolution


  1. The issue is fixed in content version 8738-8202.
  2. The workaround is to configure an application-override policy based on the ntp-base application.
  3. Refer How to create Application Override for details.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bpuPCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail