topic Re: PA cannot distinguish between Dropbox and Cloudfront in General Topics

PA cannot distinguish between Dropbox and Cloudfront

Farzana — Thu, 03 Aug 2017 00:50:06 GMT

Hi,

PA does not seem to be able to distinguish between Dropbox and Cloudfront. In the Traffic logs, all sessions are identified as dropbox-base. Outputs from show session id:

DROPBOX:

start time : Thu Aug 3 09:58:15 2017
timeout : 120 sec
total byte count(c2s) : 4843
total byte count(s2c) : 6128
layer7 packet count(c2s) : 11
layer7 packet count(s2c) : 12
vsys : vsys1
application : dropbox-base
rule : Staff
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source
nat-rule : STAFF_NAT(vsys1)
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : vlan.100
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd decoder bypass
end-reason : aged-out

CLOUDFRONT:

start time : Thu Aug 3 10:03:34 2017
timeout : 30 sec
total byte count(c2s) : 3485141
total byte count(s2c) : 96056293
layer7 packet count(c2s) : 46500
layer7 packet count(s2c) : 63461
vsys : vsys1
application : dropbox-base
rule : Access Rule
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source
nat-rule : ACCESS_NAT(vsys1)
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : vlan.100
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : TCP RST - client
tracker stage l7proc : ctd decoder bypass
end-reason : tcp-rst-from-client

PAN-OS: 8.0.3 using latest content version.

Any idea how to fix this?

Thanks in advance.

Re: PA cannot distinguish between Dropbox and Cloudfront

abjain — Thu, 03 Aug 2017 08:51:34 GMT

Please open a TAC case. They will have to inspect this and get it rectified if its a decoder issue.

Re: PA cannot distinguish between Dropbox and Cloudfront

reaper — Thu, 03 Aug 2017 09:46:21 GMT

It doesn't appear you are using SSL decryption? You may need to enable decryption to be able to look inside the flow and properly identify the apps

Re: PA cannot distinguish between Dropbox and Cloudfront

BPry — Thu, 03 Aug 2017 15:19:51 GMT

@Farzana,

Without decryption the firewalls app-id is kind of in a 'best guess' situation. It'll identify the application to the best of it's ability but the ability to do application identification is limited when you only give the device limited availability into the device. The only real fix would be to decrypt the traffic; if you open a TAC case they'll probably look at it and tell you the same thing.

I wouldn't really rely on the app-id being correct if you aren't decrypting the traffic, they can only inspect the headers and such within the traffic flow to try and identify the traffic.