topic Please Release App-IDs for IBM AS400 user traffic in Next-Generation Firewall Discussions

Please Release App-IDs for IBM AS400 user traffic

P19991 — Fri, 11 Nov 2022 10:45:46 GMT

Hi,

we have noticed traffic from users connecting to mainframes/midranges is showing as "unknown-tcp" and "insufficient-data" for the following ports:

TCP/449 (Server Mapper)

TCP/8470 (License Management)

TCP/8471 (Database Access)

TCP/8475 (Remote Command)
TCP/8476 (Signon Verification)

TCP/23 is of course being correctly identified as telnet. All of these ports are documented in the following IBM article:

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions

I was surprised to find that PA doesn't have Apps for this popular enterprise application. Is there a chance an AppID series is upcoming for this kind of traffic? We already filed a request at https://www.paloaltonetworks.com/blog/submit-an-application/

Cheers

Re: Please Release App-IDs for IBM AS400 user traffic

TomYoung — Fri, 11 Nov 2022 16:36:26 GMT

Hi @P19991 ,

I understand your frustration. A search on IBM under Objects > Applications yields 12 results. So, PANW has already identified many IBM apps. It would be nice from them to add 4 more. Thank you for submitting the App-ID request!

If you need something more immediate, this is an excellent overview for custom applications to identify unknown protocols. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-custom-or-unknown-applications

Here are the bullet points:

Creating a custom app with signature (regex in packet capture to uniquely identify the app) and the correct parent application will allow you to identify the app with L7 inspection.
Creating a custom app with Application Override is much easier because the app in your case can be identified by destination IP and L4 port. However, it will bypass L7 inspection. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0 I don't know if the NGFW does L7 inspection on unknown apps anyway. So, you may not miss anything by going this route.

I am curious what L7 inspection you would bypass. AV will not apply to those protocols. AS applies mainly to Command and Control. If the IBM is hacked and reaches out to the Internet, you would not catch it. You could just block outbound access for the IBM. Under Objects > Security Profiles > Vulnerability Protect [edit profile] > Exceptions > check "Show all signatures" > filter by "ibm", I see 201 signatures. Anyway, I digress. The point is that App Override may provide the visibility that you want without much drawback because I am not sure how much L7 protection is applied to these unknown protocols.

Thanks,

Tom

Re: Please Release App-IDs for IBM AS400 user traffic

P19991 — Fri, 11 Nov 2022 17:15:30 GMT

Hi Tom,

thank you for your response. No frustration here actually, AppID is performing amazing as usual, the unknown-tcp just stood out because the PA usually catches everything and this program is used heavily in the environment.

I think we might be able to get away with just 1 new app, I believe the software is called "IBM i Access". According to the article, in most cases it uses only 4 TCP ports.

Re: custom app, I already started developing a custom App and I'm finding many bit strings that are nice and long and shouldn't be too hard on the dataplane. I'm hoping that by setting "unknown-tcp" as parent app that we could get at least the IPS engine working, because in Wireshark I can see some actual SQL queries being embedded in this protocol. But in any case, the biggest benefits will be the visibility and ease of creating policies.

Cheers