topic Re: Turn off Application ID globally? in General Topics

Turn off Application ID globally?

blarney — Fri, 16 Aug 2013 02:27:57 GMT

Can one turn off the application awarenes globally to set up a PAN as a L4 firewall? Trying to get some comparison stats against the old L4 only (non PAN) firewall and the new PAN.

thanks.

Re: Turn off Application ID globally?

sraghunandan — Fri, 16 Aug 2013 02:53:09 GMT

I don't believe there is a global setting to turn of appid, but you can configure two application override policies( https://live.paloaltonetworks.com/docs/DOC-1071) and include all ports (1-65535) for both tcp and udp.

Re: Turn off Application ID globally?

sraghunandan — Fri, 16 Aug 2013 03:44:19 GMT

So basically create two custom applications one for tcp(tcp/1-65535), the other for udp(udp/1-65535) and create two policies one for all tcp ports the other for all udp ports

Re: Turn off Application ID globally?

ericgearhart — Fri, 16 Aug 2013 14:28:32 GMT

Haha wow I never thought about trying to benchmark App-ID versus non-App-ID in this way... yes this in theory should work, if you built app overrides for any to any traffic and bind them to the App-IDs that define every TCP port and every UDP port.

You'd have to build more specific app overrides for specific ports if you wanted to actually firewall I suppose... or I guess your rules could be defined as App 'any' and define specific services in the service column... this would in essence give you a traditional layer 4 firewall.

Interesting stuff... I have a Breaking Point appliance, and it's tempting to go build this in the lab and see what kind of performance I get out of it compared to App-ID being on,

Re: Turn off Application ID globally?

mbutt — Fri, 16 Aug 2013 15:49:48 GMT

keep in mind a rule with a custom application override does not pass through any of the URL, threat or anti-virus scanning engines. The scanning engine will be used with an app-override if you use an existing built-in application such as web-browsing.

The above information can also be found at the following link

Application Override and Scanning Engines

Hope this helps.

Thanks

Numan

Re: Turn off Application ID globally?

mikand — Mon, 19 Aug 2013 07:42:17 GMT

Would be nice if those numbers could be posted online 🙂

Specially the case between appid override which disables everything vs "appid:any" which should be equal (at least securitywise).

I think Network World got slightly lower throughput when they tried to "disable everything" and one of the theories back then was that a disable added one (or more) cpu-cycles within the PA which would end up with 1%'ish lower throughput. That is the PA will do AppID no matter what, when you disable/ignore the result from the AppID it will take one (or more) additional cpu/fpga/asic cycles to ignore the result.

Re: Turn off Application ID globally?

treese — Tue, 12 Aug 2014 18:31:33 GMT

I'm trying to get more throughput through my 2020. I got the gig interfaces but the FW app ID performance are 500Mb. I want to terminate a Gig Eth circuit to the FW but don't want to impede performance. The circuit carries our VM replication, TSM backup, file sharing, and management. I was expecting that application override would be the best choice to implement, but the Network World comment had me guessing. Any further thoughts or comments on this one?

Thank you