Why is traffic on port 3978 Identified as SSL application instead of Panorama application?

Why is traffic on port 3978 Identified as SSL application instead of Panorama application?

23419
Created On 06/20/23 15:54 PM - Last Modified 04/03/24 22:09 PM


Question


Why is traffic on port 3978 Identified as SSL application instead of Panorama application?
 

Environment


  • Panorama with managed Firewalls
  • Upgrade to PAN-OS 10.2.x or later

Answer


  1. PAN-OS 10.2 uses TLS version 1.3, where the server certificate and all handshake messages after the "Server Hello" message are encrypted.
  2. Since the firewall does not find any match content pattern to identify the App-ID "panorama", the session is identified to be SSL on port 3978.
  3. To allow the traffic through the firewall, a security policy must be set to allow SSL traffic on port 3978.
  4. Without the above security policy, firewall to panorama connectivity will be affected.

Additional Information


  • The article applies to the traffic between management port of Firewall and Panorama.
  • For the traffic between client and server passing through the data ports of firewall, they are still subjected to the app-id rules even with TLS 1.3.
  • App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. If encryption (SSL or SSH) is in use, a decryption policy is needed.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI94CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language