Context for Custom AppID

rsummers — Thu, 07 Nov 2019 23:13:21 GMT

I’m looking to create a custom AppID for our Softphones by PureCloud. In short, we are attempting to block the chat feature within the application. The application is web-browser based and encrypted, so we setup decryption for the traffic in the hopes we could enforce security policies on the decrypted traffic.

The decryption is working fine and I’ve been able to get some basic AppID’s created to recognize the traffic based on the FQDN. My goal is to create a custom AppID that goes deeper into the packet and matches on a pattern. So far, I’ve been unsuccessful. I’ve validated the parent app is “websocket” but have not been able to hit on a pattern match. I believe the issue I’m having is with the Context choice.

I opened a PAN support case and worked with a tech who was helpful but limited in support he could provide (best effort only.) I’ve searched through the Live Community Discussions related to AppID’s and didn’t hit on anything helpful so far. I’ve read pretty much anything and everything I could find online and in PAN’s knowledge base articles but have not found a solution.

I setup a decryption mirror port and captured some PureCloud traffic. I can provide a packet capture of the decrypted traffic for a short chat conversation. I was hoping someone could help me figure out the right Context to match patterns against or an alternative approach. Any help you could extend to me would be greatly appreciated.

I found both of these resources very helpful. I list them for others who might benefit from them.

Video - How To Configure A Custom App-Id
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmGCAS

PDF - Creating Custom Application And Threat Signatures
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0

Regards,
Rob

topic Context for Custom AppID in Custom Signatures

Context for Custom AppID