Re: Application based Policy approach

Sanssj — Wed, 01 Aug 2018 04:02:00 GMT

While moving from a service based to application based policy approach how to tackle the dependent applications for the specific application. for instance consider a app "webex-base" which is dependent on apps"rtcp, rtp-base, ssl, stun, web-browsing".

"Webex-base" has a standard-port tcp/443,80,1270, udp/8070,8090,9000.

when i see the logs it shows that when the session is occuring only these applications are being seen webex-base(on 443 (one of the stadard ports no confilt) ),stun-9000( which is one of the standard ports of the webex base and stun uses tcp/3478, udp/3478 as standard ports) so does that implies that depedent applications use standard -port range of the webex-base application?

so, application field =webex-base, services filed =application-default in the rule for webex-traffic.
now how do we address dependent applications so that we can keep track of these non-conventional apps?
do we need to provide additional rules to provision it for the app to work properly without break?

Thanks,

Re: Application based Policy approach

reaper — Thu, 02 Aug 2018 08:56:22 GMT

applications are identified in stages

when a SYN packet arrives on the firewall, it is hard to identify the app purely on the port, the next few packets may contain a certificate or some payload that identifies the session as web-browsing or a connection to a certain site for which an app exists so app-id will switch the 'unknown-tcp' app that has been applied to the session to this point, with the application that best matches the packets/payload seen so far, but many applications then start behaving moredifferently depending on what (l7) application was actually started, like webex (you could be doing voice, screenshare, fileshare, ... all which have their own signature) so then the App-ID engine will switch the application for the session yet again to the final app

all the steps to get to a final identification are dependencies: if you block web-browsing, you will not be able to get to an application that runs on a regular web platform, for example, because the session will first behave like normal web browsing before the app itself is activated (look at the tcp packets sequentially)

so the dependencies will need to be allowed in a policy somewhere for the webex app to work

other dependencies may simply be needed to form a control channel which is not directly related to the process explained above

there is one caveat: some dependencies may not be necessary for your specific deployment, so you can leave them out of the security policy, but you will keep getting the dependency warning during the commit. this is because the dependencies are needed to allow the full suite of an application's functionality: eg. your webex deployment may not require RTCP

hope this helps

topic Re: Application based Policy approach in General Topics

Re: Application based Policy approach

Re: Application based Policy approach