topic Application override with custom application and threat detection in General Topics

Application override with custom application and threat detection

RedLogic-team — Sun, 19 Jun 2016 07:53:20 GMT

I want to build a custom application with application override and still be able to scan for threats.
On the website of Palo Alto, there is this text:

If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.

But there is also this text:

For example, if you build a custom application that triggers on a host header www.mywebsite.com, the packets are first identified as web-browsing and then are matched as your custom application (whose parent application is web-browsing). Because the parent application is web-browsing, the custom application is inspected at Layer-7 and scanned for content and vulnerabilities.

I created a test custom application "web_override" with a signature: http-req-host-header eicar\.org
I enabled the parent-app option set on web-browsing. Only when I disable the override, the eicar virus is recognized. When I enable the override the layer 7 is not scanned and Eicar will not trigger a threat.

I also vind this text:

In such cases, we recommended creating an application override to allow easier identification and reporting, and to prevent confusion.

Can somebody explain why? "To prevent confusion'' what for confusion are they talking about. When I have a unknown application (in my test the eicar web site is normaly recognized as web-browsing, but after my custom application the firewall sees the trafic as my custom application "web_override"

I vind good articles with good information put still missing some pieces of the puzzle.

Re: Application override with custom application and threat detection

pulukas — Sun, 19 Jun 2016 14:46:50 GMT

Could you provide the link to the original source document for your quoted paragraphs?

I'd like to see the full context that might help explain the apparent contradictions.

Re: Application override with custom application and threat detection

nikoo — Sun, 19 Jun 2016 19:40:16 GMT

Hi,

If you are using Application Override (Policies -> Application Override), then traffic will not go through L7 analysis and threats will no be scanned. Basically, you create a custom application, but do not create any signature for it and identification is done via Application Override.

If you are using Custom Application and identifying your app by custom signature - it will go through threat scanning if you have enabled it for that app. It is done by opening your custom application and editing Advanced tab, Scanning section. For this scenario no Application Override is required.

Re: Application override with custom application and threat detection

RedLogic-team — Sun, 19 Jun 2016 20:53:09 GMT

The text:

comes from this article;

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/manage-custom-or-unknown-applications.

The text:

Example Use Scenario

You might ask why we'd ever need to override the normal application identification process. In some cases, customers build their own custom applications to address specific needs unique to the company. For these applications, we may not have signatures to properly identify the expected behavior and identify the traffic with a known application. In such cases, we recommended creating an application override to allow easier identification and reporting, and to prevent confusion.

comes from this article;

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

I also read this info:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044

Re: Application override with custom application and threat detection

RedLogic-team — Sun, 19 Jun 2016 20:55:31 GMT

@Vieplis wrote:

Hi,

If you are using Application Override (Policies -> Application Override), then traffic will not go through L7 analysis and threats will no be scanned. Basically, you create a custom application, but do not create any signature for it and identification is done via Application Override.

If you are using Custom Application and identifying your app by custom signature - it will go through threat scanning if you have enabled it for that app. It is done by opening your custom application and editing Advanced tab, Scanning section. For this scenario no Application Override is required.

Explain:

The text:

comes from this article;

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/manage-custom-or-unknown-applications.

Re: Application override with custom application and threat detection

nikoo — Sun, 19 Jun 2016 21:28:02 GMT

As far as I understand it explains the situation when application override is not used, and it makes more sense if you look at one more paragraph further from the same article where it tells how to make an exception by using application override:

Re: Application override with custom application and threat detection

RedLogic-team — Mon, 20 Jun 2016 06:30:58 GMT

@Vieplis wrote:

As far as I understand it explains the situation when application override is not used, and it makes more sense if you look at one more paragraph further from the same article where it tells how to make an exception by using application override:

For example, if you build a custom application that triggers on a host header www.mywebsite.com, the packets are first identified as web-browsing and then are matched as your custom application (whose parent application is web-browsing). Because the parent application is web-browsing, the custom application is inspected at Layer-7 and scanned for content and vulnerabilities.

If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats

Oke I understand what you are saying. But the guy who wrote is article is not clear how he explains stuf:

Alternatively, if you would like the firewall to process the custom application using fast path (Layer-4 inspection instead of using App-ID for Layer-7 inspection), you can reference the custom application in an application override policy rule. An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing time.

This part he talkes about fast path: Application override with layer 4 and not layer 7, but then he starts with de words "For example" This makes it confusing, when you say "For example" you refers to the text above with telling me about override.

So The text must be "If you build a custom application without override" But then, the text is strange, there is an option in custom application to enable scanning threats.

Put all things together,

1. Costum application can be scanned in to layer 7 without application override, you need some signature to recognize the application. In the custom app settings => tab advanced => scanning option you can scan on threats.

2. Custom application with an override can do only layer 4 no threat detection.

3. Applications that exist in Palo Alto can have a override when you want to use a different port, example: I use this for ldaps port 636 (else it will drop with Not-applicable warning). You can scan on threats with existing apps in combination with an override (Correct me if I wrong).

So I have an extra question, is there a website on the internet that triggers an Unknown-tcp/upd in the application detection so you can practice to build a custom application. Or is there a simple Linux application that does?

Thanks Vieplis for your input

Re: Application override with custom application and threat detection

nikoo — Tue, 21 Jun 2016 13:36:10 GMT

Your summary points 1 and 2 seems correct to me. One note though about 3 - yes, existing app with application override will still trigger L7 inspection, but I think there is no really need to simply change port for a predefined app as even if the application will suddenly be using different port, Palo Alto will still identify it with its App-ID engine (SSL decryption may be required tho for encrypted traffic) and security rules have to be build accordingly to use that custom port number (not the service-default) for that application to allow it through.

And note from PA guys I've kept in mind: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044

Note: It is recommended to use a Custom Application to verify that the application override is identifying the traffic at the new custom app, as designed. Use of a pre-existing application can cause problems, and may not work properly in an application override rule.

Regarding application signature testing, well, I have not found a way to test it nice and easy. Description of the fields to be examined from the captures can be found here: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569 That works as a reference and usually checking PCAPs and looking for relevant informaiton to match against.

If anyone has a way of testing it nicely, would be nice to hear.