Gotchas with Palo Alto Firewall App-IDs for Active Directory LDAPs and Windows KMS activation

 I've had two different Palo Alto Firewall app-id issues bite me this week.

The first one was it blocking LDAPs connections on port TCP 636 to Active Directory.  The built-in Active Directory App-ID doesn't understand that there should be TLS traffic on port 636 and the IPS closes the connection as soon as the source sends the TLS handshake request.  Setting that port to the TLS app ID fixed it.

The second was the Palo Alto blocking KMS requests on TCP 1688.  Apparently the MS-kms app-id doesn't work for this protocol.  We had to change it to MS-rpc.

What's infuriating about both of these is that the port shows open with Test-Netconnection and PortQry.  The traffic is only blocked when you make a real application request.

Finding this sort of thing is what pays for my groceries. :)

Comments