Security policy using an application filter that blocks Risk Level 5 apps blocking applications with lower risk levels

• Details are explained by using an example.
• Example:  the application msrpc-base has a risk rating of 2 and thus should not be blocked by an application filter blocking risk level 5 applications

> configure
# show predefined application msrpc-base
msrpc-base {
  ottawa-name msrpc;
  category networking;
  subcategory infrastructure;
  technology network-protocol;
  alg yes;
  ....(Output Omitted)....
  ....
  risk 2;
  application-container msrpc;
}
# exit

• Running a test security-policy-match with msrpc-base shows it is hitting the deny policy "Block High Risk Apps" for risk level 5 applications

> test security-policy-match source 10.163.248.107 destination 10.163.68.13 application msrpc-base protocol 16

"Block High Risk Apps; index: 8" {
        from any;
        source any;
        source-region none;
        to any;
        destination any;
        destination-region none;
        user any;
        source-device any;
        destinataion-device any;
        category any;
        application/service [0:any/any/any/any 1:icmp/icmp/any/any 2:ms-  frs/tcp/any/any 3:ms-win-dns/tcp/any/any 4:ms-wins/tcp/any/any 5:usejump/tcp/any/80 .....(Output omitted)....
   42:ssl/tcp/any/9990 43:ssl/tcp/any/9991 44:ssl/tcp/any/21116 ... ];
        action deny;
        icmp-unreachable: no
        terminal no;
}

• This is confirmed by looking at the session information

> show session id 462467

Session          462467

        c2s flow:
                source:      10.163.242.125 [Inside]
                dst:         10.163.68.13
                proto:       6
                sport:       65355           dport:      135
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      10.163.68.13 [Outside]
                dst:         10.163.242.125
                proto:       6
                sport:       135             dport:      65355
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown

        Slot                                 : 1
        DP                                   : 0
        index(local):                        : 462467
        start time                           : Thu Mar  2 17:35:26 2023
        timeout                              : 90 sec
        time to live                         : 28 sec
        total byte count(c2s)                : 3892
        total byte count(s2c)                : 898
        layer7 packet count(c2s)             : 14
        layer7 packet count(s2c)             : 5
        vsys                                 : vsys1
        application                          : msrpc-base
        rule                                 : Block High Risk Apps
       ...(Output omitted)...
        tracker stage firewall               : l7 proc
        end-reason                           : policy-deny

• PA-5220
• PanOS 10.1.6-h3
• Application filter.

• Another application filter is configured with the name "http" (GUI: Objects > Application Filters)

• The use of a decoder name for an application filter or custom application will cause that filter to be expanded to include all applications included in that filter.

1. Do not use the name of an existing application decoder e.g. "http" as the name of an application filter.
2. Alternatively, Upgrade to the PAN-OS versions with the fix 10.1.11, 10.2.8, 11.0.3, 11.0.4.