https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33005#M24191 <HTML><HEAD></HEAD><BODY><P>That's indeed how our rules are setup:</P><P>We use an application group to allow several remote support applications, service application-default</P><P>For these applications, no user-id required (user: any)</P><P>from zone trust to zone untrust</P><P>Basic security profile applied, but that should not block legitimate traffic (will check in threat log)</P><P></P><P>What I do notice, is some traffic gets recognized as citrix-jedi and gotomeeting, those are very similar to gotomeeting. And they are allowed too.</P><P>Threre's really no clear line to draw. It's one of those apps that use generic ports randomly, to many different ip's randomly ... </P></BODY></HTML> Thu, 19 Dec 2013 16:57:18 GMT dieter_b 2013-12-19T16:57:18Z https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33003#M24189 <HTML><HEAD></HEAD><BODY><P>Is anyone else having issues with PA not recognizing gotoassist very well ?</P><P></P><P>Citrix documentation expects you to open tons of DNS addresses and/or IP ranges, but I'm a bit wary of opening ALL traffic on ports 80 and 443 to these (most IP ranges are on Amazon btw) since we're heavily relying on application identification.</P></BODY></HTML> Thu, 19 Dec 2013 16:22:47 GMT https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33003#M24189 dieter_b 2013-12-19T16:22:47Z https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33004#M24190 <HTML><HEAD></HEAD><BODY><P>Hello Dieterb,</P><P></P><P>Citrix software gotoassist works on the ports 80/443. If the services are made "App default" it uses the ports needed to have the gotoassist traffic allowed. Now in the apps column since we have added gotoassist it looks for signature pattern of gotoassit with combination of ports needed. If this combination matches only then traffic is allowed. If just ports match and signature pattern is not allowed the traffic should not be permitted.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 19 Dec 2013 16:39:05 GMT https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33004#M24190 Phoenix 2013-12-19T16:39:05Z https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33005#M24191 <HTML><HEAD></HEAD><BODY><P>That's indeed how our rules are setup:</P><P>We use an application group to allow several remote support applications, service application-default</P><P>For these applications, no user-id required (user: any)</P><P>from zone trust to zone untrust</P><P>Basic security profile applied, but that should not block legitimate traffic (will check in threat log)</P><P></P><P>What I do notice, is some traffic gets recognized as citrix-jedi and gotomeeting, those are very similar to gotomeeting. And they are allowed too.</P><P>Threre's really no clear line to draw. It's one of those apps that use generic ports randomly, to many different ip's randomly ... </P></BODY></HTML> Thu, 19 Dec 2013 16:57:18 GMT https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33005#M24191 dieter_b 2013-12-19T16:57:18Z https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33006#M24192 <HTML><HEAD></HEAD><BODY><P>Hello dieterb,</P><P></P><P>Yes it may be possible sometimes to see the apps as citrix-jedi and gotomeeting and so on. Sometimes when the software product change a certain behavior for gotoassist in this case, if it is not updated on PAN app signature we may see such issues. And also all of these belong to same parent company there may be overlaps as seen below.</P><P><IMG alt="goto-.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10405_goto-.PNG.png" /></P><P>In such cases, where config looks like gotoassist is allowed but citrix-jedi app is not allowed then while passing traffic if we see some part of gotoassist identified as citrix-jedi and it is getting rejected then we may experience traffic drops..to avoid such issues we may have to open a case to correct the app signature database.</P></BODY></HTML> Thu, 19 Dec 2013 18:01:57 GMT https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33006#M24192 Phoenix 2013-12-19T18:01:57Z https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33007#M24193 <HTML><HEAD></HEAD><BODY><P>I've put all similar citrix application and even more in the allow policy, but still no go.</P><P></P><P>I'll probably have to allow services http and https. But I'll try to limit the domains and/or ip's that are actually used (not the entire list of all Citrix SaaS products).</P><P></P><P>Not sure if PA can do anything about it in the application definitions...</P></BODY></HTML> Fri, 20 Dec 2013 10:41:56 GMT https://live.paloaltonetworks.com/t5/general-topics/gotoassist-application-recognition/m-p/33007#M24193 dieter_b 2013-12-20T10:41:56Z