ZPA Application Discovery and Policy

Welly · November 14, 2022, 3:36am

Hi All,

I recently set up ZPA for a customer where I began with a single App Segment using wildcard application discovery (E.g. *.mydomain,com for all TCP/UPD ports except 53) and then created App Segments from the discovered apps based on the FQDN and ports used.

One of the problems I foresaw was that I may not yet have all the required ports added for each application, yet still wanted to provide access should they be discovered later. I could then go back after reviewing discovered apps and add them.

The access policy looked like this:
1, Allow printer01,mycompany,com over TCP ports 135 and 49787
.
.
7. Allow *.mycompany,com over all TCP/UPD ports except 53

I found access to the printer failed despite Diagnostics showing successful traffic logs to ports 135 and 49787. There were also no errors concerning this application.
As a test I opened all TCP and UDP ports for printer01.mycompany.com and the connection worked. I then found traffic over TCP 443.
Where did I go wrong with the configuration, or can the wildcard app segment not be used as an allow all at end of policy?
I’ve read over this article but doesn’t seem to address the question - Defining a Dynamically Discovered Application | Zscaler

Regards,
Travis

Welly · November 15, 2022, 3:20am

I had since opened a TAC case since I needed to resolve this issue.

TAC advised that the traffic to the printer will see the specific App Segment being matched and although the ports do not match the traffic will not be processed by any further access rules.

Only other applications not matched in above rules will hit the rule with the wildcard domain App Segment. That definitely seems to be the case, but the logic seems strange to me. What if you wanted to limit specific port access to different groups, such as SSH?

WorktoRetire · March 14, 2023, 1:38pm

This is definitely one of the things that someone new to Zscaler should know. We also assumed wrongly that a wildcard might allow ports for something not defined by a fqdn. This makes defining a FQDN with specific ports a bigger exercise. You have to account for the enduser perhaps using just the app port 80 and also an administrator that might need SSH or an alternative port. If you are migrating from traditional VPN to Zscaler this will most certainly get you at least once.