topic Re: What application will be blocked by App ID in General Topics

What application will be blocked by App ID

Rahimbhamani — Sun, 05 Mar 2017 07:09:43 GMT

If we want to blocked video streaming, team viewer, logme in, , youtube etc basis on App ID. We dont have URL filtering license.

Re: What application will be blocked by App ID

nextgenhappines — Sun, 05 Mar 2017 16:06:24 GMT

There are couple of ways to do this,

1. go to https://applipedia.paloaltonetworks.com/ and search for the applications that you know that you want to block.

2. setup a test machine, and create security rule with test machine as source and place it on the very top of the rule set to allow outbound and have a deny all outbound rule for the test machine after the allow outbound. Enable logging and review the traffic log after each application that you are interested to block (make sure you close application or end the streaming first), you should see the specific app-id identify by the traffic log. Create another deny rule and place it above the allow rule to deny those specific app-id. Repeat until you get them all.

Since you did not specific which video streaming services/application, that could be tricky because some services could show up as http-video or SSL (encrypted), you will need test and be a detective for a while. If you want to block those video streaming using SSL, you will need to enable SSH decrpytion, that you may want to search on the technote how to and get URL license as well. Since you may not want to decrypte SSL sessions going to health care, banking site, etc..

Have fun,

Re: What application will be blocked by App ID

bradk14 — Sun, 05 Mar 2017 22:28:58 GMT

For the most part, App-ID should be sufficient even without SSL decryption since the built-in app definitions use multiple vectors to detect what's being accessed. The easiest approach is just to attempt to do what you wish to block and verify the app is properly detected in the traffic log and then add those apps to a blacklist policy.

if that's not enough, you can also block by domain, keeping in mind that many apps source from multiple domains.

but I do agree that SSL decryption would be a difficult jump to make without a URL license as banking and healthcare are at least two of the categories you likely don't want to mess with, and there may be even more to worry about in Europe.

Re: What application will be blocked by App ID

Rahimbhamani — Mon, 06 Mar 2017 08:43:40 GMT

We want to block youtube streaming.

Re: What application will be blocked by App ID

Rahimbhamani — Mon, 06 Mar 2017 08:50:57 GMT

We want to block youtube streaming via Palo Alto. We create the Custom URL Category "testing" and enter the site "*.youtube.com" (with quotation). We select the testing category in Decrpytion profile and Action "Decrpyt" and Type SSL Forwarding. We create the security policy src:any, destination:any and deny youtube-base. But still we can we view streaming on chrome and firefox.

Re: What application will be blocked by App ID

reaper — Mon, 06 Mar 2017 10:18:51 GMT

have you tried application filter to block video apps ?

Re: What application will be blocked by App ID

Rahimbhamani — Thu, 09 Mar 2017 15:20:15 GMT

For this we require Decryption policy right. As per my knowledge, desktop based applucation will be block without ssl decryption and for browser based using https we must use decryption policy.

Another thing i want to know that if i dont have URL filtering license, still i got the ogs what application example google drive go the which URL's.

Re: What application will be blocked by App ID

bradk14 — Thu, 09 Mar 2017 15:31:41 GMT

as I mentioned earlier, while it may sound counterintuitive, Palo Alto AppID is able to identify some apps even when SSL is not decrypted. Obviously it can't inspect traffic, but it can use other environmental aspects to help categorize traffic. PA won't disclose all the attributes AppID uses, but obviously if someone is going to youtube.com, they're likely using the youtube-base app.

You can witness this yourself in the PA traffic logs.

Re: What application will be blocked by App ID

reaper — Fri, 10 Mar 2017 09:38:44 GMT

for any encrypted traffic that's not getting decrypted, (and also as primary means of categorizing before encryption can take place) AppID will use the SNI (Server Name Indication) which is included in the ssl handshake to identify the application

so as long as your browser support SNI, you should be getting fairly accurate AppID

in case the browser does not support SNI, AppID will try to identify the app based on the certificate CN, but this may not be as accurate as youtube uses *.google.com (hence AppID would be google-base)