topic App-id Matching Process in General Topics

App-id Matching Process

zizo94 — Fri, 13 Sep 2019 21:31:08 GMT

I'm running PA-VM and created with one active rule:

From: Inside

To: Outside

Application: Web Basic Application group (ssl,dns,web-browsing,ping)

Service: application-default

Action: Allow

SSL Decryption is disabled

I'm facing issues browsing to websites with preconfigured App-ids:

Not working:

linkedin/soundcloud/batte.net/docs.google.com(any other website specified app-id)

Working:

youtube/google(search-engine)

I'm running PA that doesn't have the google-base yet.

"During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0

1.)

I ran it in the Lab, and the results were different:

PC ---> TLS Client Hello(server-name=www.linked.com) ---> FW ---> Linkedin (Sent)

Linkedin ---> TLS Server Hello -- FW ----> DROPPED

Application is listed as linkedin-base with action Discard

Certificate from Linkedin is not sent until Linkedin recevices ACK on the TLS Server Hello.

Which i tested on a pc with direct internet access, this contradicts the post from Palo Alto Knowledge Base

2.)

I tested HTTP & HTTPS to battle.net

Note: battle.net is redirect to blizzard.com

With HTTP:

- Dropped and classifed as battle.net in traffic monitor

- HTTP GET is dropped on the firewall side

- Classified as battle.net App-id

With HTTPS:

- Works succesfully and redirected

- Comman Name in the Certificate provided in Server Certificate is www.battle.net - This should be matched by the app-id engine but is listed as an SSL application

My question is, does it use certificate to match the app-id and/or HTTP Get?

How does the actual matching process work and why doesn't work the same across the board?

Software: 7.0.1

Application Version: 497-2688

Thanks guys

Re: App-id Matching Process

BPry — Sat, 14 Sep 2019 01:09:24 GMT

@zizo94,

There are multiple ways that encrypted traffic can still be identified via signatures that don't take into account the CN listed on the certificate. Additionally some app-ids don't take into account the CN of the certificate being exchanged in the handshake at all, and rely strickly on other means.

PS,

You are using an extremely outdated, and EOLd, version of PANOS and an extremely outdated content package. The signatures you are using are old enough that I wouldn't expect your traffic to be identifying as the proper app-id anymore with or without decryption.

Re: App-id Matching Process

zizo94 — Mon, 16 Sep 2019 06:58:05 GMT

@BPry

I upgraded the PA to version 9.0.1.

Now I can the see the added app-id for google-base.

Q:1

I'm still having the same issue, traffic is being blocked and not using the default web-browsing application.

It's identifying app-id traffic and being discarded, If I add the google-base into the application's inside the rule, it will work.

Is this normal behaviour from PA?

Q2:

As you mentioed there are multiple means of identifying traffic via signatures.

Can you share any documents that can provide me with ways.

Thanks