More specific app segment conflicts with generic app segment on different ports

Hi all,

Customer has a defined an App Segment (RDP Access) as a subnet (172.21.0.0/24) for RDP traffic (tcp port 3389). The app segment allows ICMP. There is an access policy allowing users access to this app segment.

One of the servers in that subnet also hosts another service, for example, on port 4000. User creates an app segment for that server (172.21.0.7) and that port (tcp port 4000). The app segment allows ICMP. There is no access policy allowing access to this app segment yet.

Also, there is no discovery/allow all access policy.

As soon as that server specific app segment was created, new connections to 172.21.0.7 via RDP are unsuccessful. They no longer match the RDP Access app segment.

For some reason, the host specific App Segment, for an app listening on a totally different port is bypassing the App Segment that should be matching.

A more specific App Segment/Access Policy defined on the same port being bypassed makes sense. This does not. Hosts can offer multiple applications and need different App Segments assigned.

Is this a bug or have I missed some logic somewhere?

Thanks

duane

Hi Duane, yes an app segment match happens on FQDN or IP first, and look for most specific match as well. And since you have a segment for 172.21.0.7 then any traffic to that IP will not match for 172.21.0.0/24.

You can add 3389 to the 4000 segment, or make an additional segment that is 172.21.0.7:3389.

Also you may want to use UDP/3389 instead of TCP/3389 as RDP over TCP doesn’t always perform very well, but that’s a different issue.