https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-appid-based-on-user-login/m-p/2550#M54 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I am working with a client in an interesting situation..</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">We are basically needing to limit sections of the network where certain users and login to a web server. For example, only admins can login from zone1 and only users can login from zone2. The application on the web server is not a custom one built by the client but there is no current ID for it in the app-id db.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Currently, we would like to make the policy decisions based on app.. and have a separate ID based on admins or users.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I created an APP-ID for the application itself and tested it; it works! I also checked "Continue scanning for other applications".</P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><BR />Next, I used a proxy to monitor the packets and found that the username is submitted via HTTP PARAMS. So, I cloned the original APP-ID and made a new one (we will call it App-User). I added an AND condition to the original signature and it looks for:</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Context: http-req-params</P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">pattern: user (I have also tried username=user).</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Qualifier is http method = POST.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">After committing this.. the PAN IDs the traffic as the original APP-ID but does NOT change the app identified once someone sends posts requests with the specific username identified.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Will this not work in the manner I think it would? Any better suggestions?</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">FWIW: I don't have to create an AND rule for each user. The user base all share a generic ID for this system.</P></BODY></HTML> Thu, 10 Oct 2013 01:35:07 GMT SDorsey 2013-10-10T01:35:07Z https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-appid-based-on-user-login/m-p/2550#M54 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I am working with a client in an interesting situation..</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">We are basically needing to limit sections of the network where certain users and login to a web server. For example, only admins can login from zone1 and only users can login from zone2. The application on the web server is not a custom one built by the client but there is no current ID for it in the app-id db.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Currently, we would like to make the policy decisions based on app.. and have a separate ID based on admins or users.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I created an APP-ID for the application itself and tested it; it works! I also checked "Continue scanning for other applications".</P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><BR />Next, I used a proxy to monitor the packets and found that the username is submitted via HTTP PARAMS. So, I cloned the original APP-ID and made a new one (we will call it App-User). I added an AND condition to the original signature and it looks for:</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Context: http-req-params</P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">pattern: user (I have also tried username=user).</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Qualifier is http method = POST.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">After committing this.. the PAN IDs the traffic as the original APP-ID but does NOT change the app identified once someone sends posts requests with the specific username identified.</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Will this not work in the manner I think it would? Any better suggestions?</P><P></P><P style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">FWIW: I don't have to create an AND rule for each user. The user base all share a generic ID for this system.</P></BODY></HTML> Thu, 10 Oct 2013 01:35:07 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-appid-based-on-user-login/m-p/2550#M54 SDorsey 2013-10-10T01:35:07Z