topic Re: Custom App ID in General Topics

Custom App ID

nsrini1991 — Thu, 18 Feb 2021 05:49:49 GMT

Hi Experts,

We've created a new custom app ID (custom-sql) for the SQL server with the ports TCP/10001- TCP/10004 with the Parent app as 'mssql-db-base'. Below are the firewall rules we've in place and noticed the application is correctly classified as the parent app when checking in monitor logs but instead of the below rule, it's hitting deny rule.

Any idea why is it so and what should be corrected. Thanks in advance

Name: Custom-SQL-rule

Source: 10.0.0.0/8

Source Zone: Inside

Destination: 172.16.0.0/16

Destination Zone: DMZ

Application: custom-sql

service:TCP/10001

Action:Allow

Re: Custom App ID

reaper — Thu, 18 Feb 2021 08:54:41 GMT

there is a dependency for the parent app to be allowed as well,

since the parent app is being blocked right now, App-ID is not able to identify the child app

Re: Custom App ID

nsrini1991 — Thu, 18 Feb 2021 13:36:52 GMT

Hi Tom,

Thanks for the reply.

Does this mean the firewall rule should be updated with the mssql-db-base ?

Should the port TCP/10001 from the service condition can exist or it can be removed?

Please assist.

Re: Custom App ID

reaper — Thu, 18 Feb 2021 13:44:09 GMT

Hi @nsrini1991

yes, you will need to add mssql-db-base . you can leave the port there as you don't want to offer this application on different ports

Re: Custom App ID

nsrini1991 — Thu, 18 Feb 2021 14:28:23 GMT

Hi Tom

Thanks for the assistance. Final one, can you please overview on how the parent app works on this example?

I tried to google but not able to get any clear answers.

Please assist.

Re: Custom App ID

reaper — Thu, 18 Feb 2021 14:39:03 GMT

it's how APP-ID works:

1. first a syn packet comes un, firewall checks if the source zone/ip, destination zone/ip, destination port and protocol are allowed somewhere (skips app for now)

if yes: session is created, if no, packet is discarded

2. handshake completes and first payload is transferred, app-id checks if anything can be identified (eg. http GET = web-browsing)

at this stage most of the parent apps will be identified as they display the most basic behavio.

Security rules are re-evaluated to see if this app is allowed to pass, if yoes, the session carris on, if no, the session is discarded

This is where dependencies require their parent app to be allowed somewhere in the rulebase

3. session continues to transfer payload and a child-app is detected, security rules are evaluated once more to see if child-app is allowed

if yes, sesion is allowed to complete, if no session is discarded

hope this helps

Re: Custom App ID

Sec101 — Thu, 11 Mar 2021 21:21:49 GMT

@reaper

So basically, there is no "implicit" use of an official app on a custom app-id, even if a parent application is defined?