topic Re: Can I create custom application with destination IP and TCP/UDP port? in General Topics

Can I create custom application with destination IP and TCP/UDP port?

KiCheon.Lee — Fri, 03 Jan 2014 09:41:41 GMT

Hello,

I know that FW can control application correctly when has L7 signature.

But my customer want to create application signature more simple and easy for internal trust server.

For example, There is 192.168.1.1 web-server. He want to create app "our-web-server" for destination IP and port are 192.168.1.1:80.

Can FW be available?

Thanks.

Re: Can I create custom application with destination IP and TCP/UDP port?

kprakash — Fri, 03 Jan 2014 13:25:58 GMT

Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow, Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).

The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.

Hope that helps!

Best regards,

Karthik

Re: Can I create custom application with destination IP and TCP/UDP port?

Phoenix — Fri, 03 Jan 2014 15:59:57 GMT

Hello Cheon,

For your requirement to make a simple and new app to find if this is your web-server traffic yes we can do. Create a new APP with the required destination tcp/udp port. Assign this new app in the Application override rule where we provide the source and destination IPs.

By doing so for any further traffic matching the IP's and ports in the App the traffic would match the application override rule and the sessions would show the new app. ( considering the old sessions are timed out, if not we can clear the old ones )

The prior update by kprakash was to intend that the IPs cannot be added in a signature pattern as such.

Hope this helps !

Re: Can I create custom application with destination IP and TCP/UDP port?

skrall — Sun, 05 Jan 2014 02:25:56 GMT

Have you looked at the Applocation Override feature in the Policies Tab? What you have described sounds like a perfect match.

SKrall

Re: Can I create custom application with destination IP and TCP/UDP port?

KiCheon.Lee — Tue, 07 Jan 2014 04:45:34 GMT

Thank you very much Karthik , Phoenix and skrall.

I knew that all traffic for some tcp/udp port(tcp/80) will be port base custom application(our-web-server) when create port base custom application without application-override.

I have tested and seen that port base custom application without override is not generated application in traffic log.

The port base custom application with override is generated application is traffic log.

I got it. As Karthik mentioned, L3&L4 check and L7 check are probably different hardware chip.

Where is the application signature? in signature math hw engine? or in security process?

Good luck.

Re: Can I create custom application with destination IP and TCP/UDP port?

Gregoux — Tue, 07 Jan 2014 13:24:04 GMT

why don't you try a custom application base on the host header value as signature?

Re: Can I create custom application with destination IP and TCP/UDP port?

kprakash — Tue, 07 Jan 2014 16:21:47 GMT

The Signature matching is done on a different chip or performed on a software thread depending on the platforms. The security policy check for the traffic happens prior to the signature check, and its performed on another chip ( octeon ), before the traffic is fed to the signature matching engine ( chip )