topic Re: Odd App ID in General Topics

Odd App ID

mrsold — Fri, 24 Feb 2012 21:06:26 GMT

So, interesting thing. We use a PA-500 for our enterprise guest networks. We currently have a couple rules that go like this:

1. Allow guest networks to use Skype / Skrype-Probe

2. Block guest networks from using Risk 4 and 5 P2P (this catches stuff like Bittorrent, etc.)

We just got an email that someone on our guest network is torrenting. Low and behold the PA is still letting the app "bittorrent" through even though its blocked in that application filter.

Thoughts?

Re: Odd App ID

mikand — Fri, 24 Feb 2012 22:33:38 GMT

If im not mistaken the logs in PA should show you which rule allowed the traffic.

Verify so you dont in an earlier rule somehow allow bittorrent (since PA use a top-down first-match rule-engine similar to cisco acl) either directly (like allowing risk=5) or indirectly (allowing appid=any where you through you would just let some ipaddresses through without filtering or such).

Re: Odd App ID

mrsold — Fri, 24 Feb 2012 23:22:26 GMT

That's the thing. I saw that and it's being allowed by the rule that only has the skype apps allowed.

Maybe the PA is messing port classifications and thinks it's seeing bittorrent when it's seeing skype? Or, some torrent traffic is using skype ports?

Re: Odd App ID

mikand — Sat, 25 Feb 2012 10:32:02 GMT

The thing is that PA doesnt care about ports unless you limit the rule by specify which ports you wish to allow through in "service" column.

So if you allow skype and nothing else then only skype should be allowed. However if a specific flow first acts like skype and then change into bittorrent then it should been blocked (if you only allow skype).