topic Re: How App-ID identify encrypted application in General Topics

How App-ID identify encrypted application

ankursharma — Thu, 13 Oct 2016 15:05:16 GMT

How app-ID identify encrypted application. Suppose I have allowed only facebook-base in policy and there is not decryption policy.

Re: How App-ID identify encrypted application

BPry — Thu, 13 Oct 2016 15:16:48 GMT

It will attempt to identify the traffic by the packet header; if it can't then the rule won't work. In practice it's a hit and miss thing with encrypted traffic, even if a rule using app-id generally works you will run into instances where it doesn't because it doesn't properly match what that app-id signature is looking for.

Re: How App-ID identify encrypted application

Raido_Rattameister — Thu, 13 Oct 2016 19:15:11 GMT

When you visit SSL site then firewall sees certificate.

If you go to www.facebook.com then there is just Facebook and app is identified as facebook-base.

If you go to any Google service (maps.google.com, www.gmail.com etc) then cert says *.google.com and firewall is unable to identify exact application and uses broad google-base as application.

If there is no application for specific site then traffic is just identified as SSL.

If you have decryption policy in place then firewall can also detect subapplications like facebook-apps, facebook-chat etc