topic Re: Why permitiing web-brosing is required while permitting custom http-based apps? in General Topics

Why permitiing web-brosing is required while permitting custom http-based apps?

asia — Wed, 24 Feb 2010 16:11:56 GMT

Hello,

I was testing custom http based apps, and in this context i created a custom app based on a signature in the host field of the http header. The problem is that it function properly only if i permit the app web-brosing in the same rule. By logging at the begining and at the end of the session i noticed that whene session starts, the traffic was identified as web brosing, and then it switches to be identified as the custom app. Also whene i dont permit web-brosing, the traffic will be dropped and the firewall is no longer able to identifie the custom app. So is it required to permit web-brosing to get this kind off apps to work, it is not souhaitable in my case, so is there any solution to this problem?

Thank you all.

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

mjacobsen — Wed, 24 Feb 2010 16:29:09 GMT

The web-browsing application essentially represents the basic HTTP functionality. It is required in order for the system to further decode and process HTTP requests. Without allowing the traffic to be processed by the HTTP decoder, we cannot look further for other HTTP-based applications. This is why allowing the web-browsing application is a requirement for other HTTP-based applications.

If you can provide some more detail about the policy you are trying to implement, we may be able to come up with a solution through creative rule ordering, src/dst controls or some other combination.

Mike

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

asia — Wed, 24 Feb 2010 16:47:30 GMT

Thank you Mike for your fast response.

In my case, i'am triying to create a rule in wich i permit only the custom http based app. The pupose is to use this functionality as the onlu filtering criteria and to take out the src/dst ip addresses.

The rule will look like this :

src-zone-inetrnet src-add-any dst-zone-intranet dst-add-any custom-app permit

So if we allow the web-brosing app in addition to the custom app, this will allow all http traffic coming from internet to go throw the firewall, and this is not what we try to do.

So if there is any soultion to make this work withtout being compelled to allow web-browsing, that will be great.

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

kbrazil — Wed, 24 Feb 2010 18:05:50 GMT

You might try adding a URL filtering profile to that security policy rule that only allows access to that web server or domain so the web-browsing application doesn't allow access to other URLs.

Kelly

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

bdaussin — Thu, 25 Feb 2010 09:32:40 GMT

Thanks, for yours answers.

We'll try this today. We'll post the result.

I had a dream ........ A firewall without any IP rules :smileycool:

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

kansel — Fri, 14 Jan 2011 20:19:23 GMT

Adding URL filtering is one more layer, but you are still not addressing the custom app question. I have a similar scenerio that I would like to allow only a specific app, but it requires web-browsing. Then why even use the specific app in the policy rule?

I understand the reason why web-browsing is needed to further decode to identify the specif app, but when adding the app-id's in the policy together (which I believe they are OR'd), the web-browsing app over-rides the specific app that you want to ONLY allow.....meaing its useless to add a specific app that requires web-browsing in order to work.

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

kbrazil — Fri, 14 Jan 2011 20:34:18 GMT

Today the best practice is to use URL filtering and Web-app policies together for optimal coverage. As you mentioned - web-browsing is basically the http decoder, so http is a prerequisite for identifying lower-layer apps.

There will be some future enhancements that will allow you to use only the specific app-id's without requiring the web-browsing application.

Cheers,

Kelly

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

SkIKT — Tue, 15 Nov 2011 08:17:53 GMT

Any progress on these enhancements? Have you targeted a specific release milestone?

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

bpappas — Wed, 16 Nov 2011 02:07:13 GMT

@SklKT:

If you wish to discuss product roadmaps and the expected release date for new features you will need to talk to your sales team.

This forum is not the proper venue for this sort of discussion.

Thank you,

Benjamin

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

frank_henry — Wed, 16 Nov 2011 15:47:54 GMT

+1. Would be nice to have a AND - OR qualifiers.

Also, not everyone subscribes to the URL filtering service. AFAIK, there is not yet a generic URL filtering methodology (user controlled only without subscription requirement).

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

frank_henry — Wed, 16 Nov 2011 15:49:25 GMT

If our wants are not expressed in an open forum, then this is not a democracy;)

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

kbrazil — Thu, 17 Nov 2011 03:53:23 GMT

Who said this was a democracy?

You can use URL filtering for custom, user defined categories without a URL filtering subscription to the categorization database.

Cheers,

Kelly

Re: Why permitiing web-brosing is required while permitting custom http-based apps?

SkIKT — Thu, 17 Nov 2011 07:20:02 GMT

I'm sorry, I did not know these kinds of questions where unwanted in the forums. However, I never asked for release dates.