https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29816#M21790 <HTML><HEAD></HEAD><BODY><P>Peter,</P><P></P><P>Have you considered using Application Override? This is the simplest solution if you can define an application based on IP address and port number.&nbsp; If you truely require a signature you will need sniffer captures and some evaluation of the first few packets. If you are lucky you will see some string like "User Agent = NMAP"&nbsp; and use this as your identifier. Some applications will be moredifficult to identify. You will not know until you look as the captures.</P><P></P><P>Your last option isto ask Paloalto to create a new Application and submit the request to....</P><P></P><P><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/researchcenter/submit-an-application/">http://www.paloaltonetworks.com/researchcenter/submit-an-application/</A></P><P></P><P>Steve Krall</P></BODY></HTML> Thu, 16 Jun 2011 22:45:26 GMT skrall 2011-06-16T22:45:26Z https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29815#M21789 <HTML><HEAD></HEAD><BODY><P>Good afternoon.</P><P></P><P>A considerable amount of traffic to/from our Akamai servers is not recognized by our PA-4060s running v3.1.9. We would like to create a custom App-ID signature that would identify all traffic to/from our Akamai servers (based on /28 subnet) as: <SPAN style="color: #0000ff;"><STRONG>SU Akamai</STRONG></SPAN>.</P><P></P><P>Source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; akamai-11-053.syr.edu (here we’ll use 128.230.11.48/28)<BR />Destination: a72-247-124-182.deploy.akamaitechnologies.com<BR />From Port:&nbsp;&nbsp; 12347<BR />To Port:&nbsp;&nbsp;&nbsp;&nbsp; 65453<BR />Protocol:&nbsp;&nbsp;&nbsp; udp<BR />Application: insufficient-data<BR />Action:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow<BR />Rule:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; permit datacenter to all</P><P></P><P>Would appreciate any tips for creating custom App-ID signatures!</P><P>Thank you!</P><P></P><P>Respectfully,</P><P>Peter Rounds</P></BODY></HTML> Thu, 16 Jun 2011 17:30:41 GMT https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29815#M21789 phrounds 2011-06-16T17:30:41Z https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29816#M21790 <HTML><HEAD></HEAD><BODY><P>Peter,</P><P></P><P>Have you considered using Application Override? This is the simplest solution if you can define an application based on IP address and port number.&nbsp; If you truely require a signature you will need sniffer captures and some evaluation of the first few packets. If you are lucky you will see some string like "User Agent = NMAP"&nbsp; and use this as your identifier. Some applications will be moredifficult to identify. You will not know until you look as the captures.</P><P></P><P>Your last option isto ask Paloalto to create a new Application and submit the request to....</P><P></P><P><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/researchcenter/submit-an-application/">http://www.paloaltonetworks.com/researchcenter/submit-an-application/</A></P><P></P><P>Steve Krall</P></BODY></HTML> Thu, 16 Jun 2011 22:45:26 GMT https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29816#M21790 skrall 2011-06-16T22:45:26Z https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29817#M21791 <HTML><HEAD></HEAD><BODY><P>Thanks Steve!</P><P>Does application override cause traffic that is "overrided" to disappear from monitoring?</P><P></P><P>Respectfully,</P><P>Peter ...</P></BODY></HTML> Fri, 17 Jun 2011 14:32:44 GMT https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29817#M21791 phrounds 2011-06-17T14:32:44Z https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29818#M21792 <HTML><HEAD></HEAD><BODY><P>No. Override has 2 steps.</P><P>1) Create a simple Application identified simply by dest port or protocol.</P><P>2) Create an App Override rule that defines zones and IPs&nbsp; and Port and then the "Name" of&nbsp; the application that this traffic should receive.</P><P></P><P>And traffic conforming to the AppOR rule that you defined in step 2 gets classified/Named the Application you created in step 1.</P><P></P><P>App OR is typically used for the following reasons.</P><P>1) Assign an app name to some custom/home grown application or tcp/udp Unknown traffic that Paloalto is detecting.</P><P>2) Turn off deep packet inspection for performance reasons.</P><P>3) Testing to verify that Deep Packet inspection is not the reason for some performance problems</P><P></P><P>One common example is SIP.&nbsp; SIP phones put the IP address of the phone in the Payload.&nbsp; SIP gateways like the Paloalto, when doing NAT, should change the source IP address in the IP header and should modify the IP address in the payload. Sometimes the modification done by the SIP gateway are incompatible with the requirements of the PBX. By creating an App OR for Port 5060 we turn off the deep packet inspection and modification and only do NAT. This is a common workaround for SIP issues using AppOR.</P><P></P><P>SK</P></BODY></HTML> Fri, 17 Jun 2011 17:07:44 GMT https://live.paloaltonetworks.com/t5/general-topics/create-custom-app-id-signature-for-specific-unknown-traffic/m-p/29818#M21792 skrall 2011-06-17T17:07:44Z