IPv4 flags as App-ID Signatures?

Danimal — Wed, 10 Apr 2019 15:54:50 GMT

Hello,

Is it possible to use simple IPv4 flag info as match criteria for App-ID signatures? I'm looking for something simple such as matching source IP, destination IP and destination port. I'm not having any luck finding patterns in the data to use and I really need an App-ID to adjust TCP time out values.

This is to accomidate poorly designed medical equipment that needs to be protected but does not function correctly behind my firewall.

Any advice is much appreciated.

Sincerely,

-Dan

Re: IPv4 flags as App-ID Signatures?

Neil_Xu — Mon, 05 Aug 2019 16:56:58 GMT

@Danimal

Not sure if you've addressed your issue.

Recently I've ran into a similar situation where a vendor's software does not addresses the TCP timeout properly, which I had to create an customized AppID for it in order to customize the TCP timeout values for that particular traffic.

Here's what I did:

- Navigate to Objects --> Applications --> Add

- Configuration Tab:

- Name: Name your AppID

- Description: Some documentation about this AppID

- Category: business-systems

- Subcategory: office-programs

- Technology: client-server

- Parent App: None

- Risk: 1

- Advanced Tab:

- Defaults: Port

- Port: port(s) or your application uses

- Timeouts --> TCP Timeout: <tcp timeout value>

- Policies --> Application Override --> Add

- Enter the basics of the traffics flows for the application override policy.

- Name

- Src Zone

- Src Address

- Dst Zone

- Dst Address

- Protocol

- Port

- Application: <your custom AppID name>

I learned that the Application Override policy is the policy that will POINT the matched traffic pattern to a specific AppID (custom or OOB)

Hope this helps or at least shine a light to your problem.

topic IPv4 flags as App-ID Signatures? in Custom Signatures

IPv4 flags as App-ID Signatures?

Re: IPv4 flags as App-ID Signatures?