topic Re: Why does traffic log show Application for a rule that uses a Service? in General Topics

Why does traffic log show Application for a rule that uses a Service?

OMatlock — Wed, 07 Jun 2017 18:48:57 GMT

Hello folks,

I am doing some testing (studying) on using Applications vs Services and have a question about the traffic log.

Why does the traffic log identify the traffic and rule to an Application when the rules are setup as Service?

My rules are setup as Service.

Traffic log identifies them as Applications.

Is it because Applications are set to any?

I assuming that even though the Traffic log identifies an application, the traffic is not inspected as so (Layer 7)?

Re: Why does traffic log show Application for a rule that uses a Service?

gwesson — Wed, 07 Jun 2017 19:47:54 GMT

Layer 7 inspection happens on all sessions to a degree. An exception would be if you created an application override policy that would prevent it.

Your rules are port-based, but App-ID is still functioning. The application won't be taken into account when processing the rules, and with your profiles set to none it will not be doing any threat scanning on the traffic hitting those rules, but App-ID is still active.

Regards,

Greg

Re: Why does traffic log show Application for a rule that uses a Service?

TranceforLife — Wed, 07 Jun 2017 19:59:12 GMT

Palo does APP-ID and it based on the traffic which is passing through. If you specify app as "any" and the services as http or RDP in the security policy, palo will scan all traffic that is matching this policy. Based on the allowed port (services) it will identify application using app-id future (based on signature, port number etc). So Palo always does L7 inspection unless you do app-override, then it is only up to L4 (TCP/UDP port numbers).

Re: Why does traffic log show Application for a rule that uses a Service?

TranceforLife — Wed, 07 Jun 2017 20:05:51 GMT

@gwesson took me a bit longer to finish my post 😉

Re: Why does traffic log show Application for a rule that uses a Service?

gwesson — Wed, 07 Jun 2017 20:13:52 GMT

@TranceforLife Every once in a while I can be a post ninja, but you usually beat me 🙂

Re: Why does traffic log show Application for a rule that uses a Service?

TranceforLife — Wed, 07 Jun 2017 20:21:05 GMT

Recently spending too much time next to the pc. Not good 😞

Re: Why does traffic log show Application for a rule that uses a Service?

OMatlock — Wed, 07 Jun 2017 21:14:18 GMT

Thank guys!

So what if the traffic does not match an application in the database (when set to any)?

Does it just take the service port route and then skip Layer 7 inspection and stay at Layer 4?

Re: Why does traffic log show Application for a rule that uses a Service?

gwesson — Wed, 07 Jun 2017 22:17:26 GMT

Nope, every initial packet will get Layer 7 inspection. It makes sense if you know the flow - if it has enough information to know it doesn't match any app, then it's already done the L7 inspection.

If no app is matched, you'll see the app listed as "unknown-tcp" or "unknown-udp" depending on the underlying protocol. That is fairly rare though, as the app-id database is pretty expansive.

Re: Why does traffic log show Application for a rule that uses a Service?

OMatlock — Fri, 09 Jun 2017 21:49:11 GMT

Thank you!