Hello -
I have a very basic question. If I create a rule with app-id's, but service set to any how is that a security issue? BPA says to set the service to application-default.
I'm updating service only rules to be app-id rules. The trouble is that if I create a app-id rule above the service rule with all the app-id seen in the service rule in the last say 200 days and clear the counter on the service rule below, the service rule is still getting hit if I set the app-id rule above to application default (in the service section of the app-id rule). If I set the service section of the app-id rule to use any then the service rule below doesn't get hit.
Hopefully I am making sense.
App-id rules with service any, will allow all the applications on every port App-id rules with service ports will allow all the applications on all the listed ports App-id rules with application-default will allow all applications, but each application can only use its own default port(s); if any of the applications you're seeing is using a non-default port (i.e. http on port 81), these sessions will not hit application-default rules