topic Custom Application and TAC in General Topics

Custom Application and TAC

ghostrider — Sat, 22 Oct 2016 22:00:05 GMT

Hello

Can I request to TAC to create custom application or I have to do by my self? I found this but I guest it is for public application not for internal.

http://researchcenter.paloaltonetworks.com/submit-an-application/

Re: Custom Application and TAC

kiwi — Mon, 24 Oct 2016 10:16:51 GMT

Hi,

You will have to create it yourself.

The form is to submit a new public application.

This might be useful :

Custom-Application-Signatures

Cheers !

-Kim

Re: Custom Application and TAC

ghostrider — Mon, 24 Oct 2016 11:26:50 GMT

Hello Kiwi

So custom application is requried only when I see the unknown applicaiton in the logs? In which case I will create the app override?

Re: Custom Application and TAC

pulukas — Mon, 24 Oct 2016 22:59:03 GMT

Right, custom applications are only needed if your traffic is unknown to the PA.

Application override is different. This prevents the upper level inspections and you would use this when the PA is incorrectly categorizing your traffic as a known application. You override the categorization using these rules.

Re: Custom Application and TAC

ghostrider — Wed, 26 Oct 2016 16:21:58 GMT

Thank you steve. But in PA documents and video, I saw they for unknown application, they are using appoverrride

Re: Custom Application and TAC

pulukas — Sat, 29 Oct 2016 11:05:45 GMT

Do you have the link for the video handy so I can understand the context of what they are doing there?

Re: Custom Application and TAC

ghostrider — Sat, 29 Oct 2016 15:07:21 GMT

Hello Steve

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044

An application override could be used wilth custom internal applications that use non-standard port numbers or internal applications classified by the firewall as "unknown" for which custom definitions have been created

Re: Custom Application and TAC

ghostrider — Sun, 06 Nov 2016 20:46:53 GMT

@pulukas Could you please see this video, they are saying for unknown-tcp and udp you can use app-override

https://www.youtube.com/watch?v=CwXdWJpw0UY

Re: Custom Application and TAC

reaper — Mon, 07 Nov 2016 10:32:53 GMT

app override is used to prevent the AppID engine from kicking in

it is not necessary to use this for a custom application to work, but can be useful in certain scenarios:

-AppID wants to identify an application and you need it to be something else (there could be a custom application mechanism that conflicts with how it's parent application is supposed to work)

-the app is unknown so AppID will not be useful

for unknown applications, app override is not mandatory, it simply preserves resources by disabling AppID for a particular session

Re: Custom Application and TAC

ghostrider — Mon, 07 Nov 2016 11:42:20 GMT

@reaper thank you. So for unknown applicaiton, either we can do app-override or make custom application. If traffic matches with built in application (worngly) and custom application as well, then PA will match with what? I mean builtin application or custom application?

Appreciated your reply

Re: Custom Application and TAC

reaper — Mon, 07 Nov 2016 13:31:20 GMT

the normal flow would be like this (for example, there is a web-app you want to identify)

you create a custom app that matches a certain signature

without app override

AppID will start processing a new session

at the http/1.1 it will likely first identify web-browsing,

in one of the next packets, your signature would be hit and the app would change into your custom application

with app override:

a new session is received matching the app override rule, custom application is assigned, no logic is checked (basically like a traditional firewall without intelligence)

Re: Custom Application and TAC

ghostrider — Mon, 07 Nov 2016 14:49:21 GMT

@reaper Thanks. Sorry for my ignorance but need to ask, so for my custom signature to work, I need to explicityly allow web-browing in security rule along with custom app or no need?

Re: Custom Application and TAC

reaper — Mon, 07 Nov 2016 15:21:53 GMT

no problem!

if your custom app relies on web-browsing, yes (eg you're hosting a website and want it identified as a specific app)

if your custom app is something written from scratch, not running on top of a known protocol: no

Re: Custom Application and TAC

ghostrider — Mon, 07 Nov 2016 20:10:39 GMT

@reaper so it means for all custom web applications, web-browsing has to be allowed with custom application?

Re: Custom Application and TAC

reaper — Tue, 08 Nov 2016 08:52:21 GMT

yes, but it doesn't need to be in the same rule, as long as web-browsing is allowed somewhere in the policy, it will work

Re: Custom Application and TAC

ghostrider — Tue, 08 Nov 2016 09:40:21 GMT

@reaper thanks. what about client server applications (tcp/udp) custom applicaitons, there is any parent tcp/udp application like web-browsing for web-application?

Also for build custom application in a rule, should I ask application to check all the funtionalities of application while doing the packet capture? I mean how much traffic need to pass for the rule to build custom application. Appreciated your recommendation

Re: Custom Application and TAC

reaper — Tue, 08 Nov 2016 10:18:34 GMT

have you checked out these articles ?

Getting Started: Custom applications and app override

Tips & Tricks: Custom Vulnerability

the amount of data needed for your custom application depends on how your app was created

normally AppID kicks in before the first 2000bytes/8packets but for web-based applications, AppID keeps scanning longer so if your application can only be identified by some string of data in the payload of a web-based session, you can use that to trigger. You will need to decide how long your packetcapture needs to be to get to the information you want to use to create a custom app as in the end you decide which 'string' will need to be matched

Re: Custom Application and TAC

ghostrider — Tue, 08 Nov 2016 20:08:33 GMT

@reaper The system automatically doing the packet capture for unknown-tcp. Is that capture sufficient for make custom app?

Re: Custom Application and TAC

reaper — Wed, 09 Nov 2016 13:09:45 GMT

maybe 🙂 it will capture the packets it cannot identify which will likely contain the signature you want to be looking for, but I would recommend setting up a proper packetcapture to make sure you have a good view of what packets are exchanged and the payload therein