topic App-ID for known services being blocked and not categorised as "ssl". in General Topics

App-ID for known services being blocked and not categorised as "ssl".

Sean65 — Fri, 10 Sep 2021 15:21:05 GMT

Hello,

We have a Palo Alto running v9.0.9-h1 with an outbound to Internet rule which as follows:

From: Internal Networks

To: Internet External

Application: ssl

What we are trying to achieve is for the firewall to ensure that only SSL/TLS traffic is allowed outbound.

The issue is that that the firewall categorises well-known services such as Salesforce, LinkedIn, Office365 as specific App-IDs and thus blocks traffic and we are having to add each required application individually.

A potential workaround is to drop Application=ssl, and add Service=TCP:443 - But doing this we lose the layer 7 inspection and could allow a user to send HTTP over the 443 port which isn't ideal.

Is there a way to have the Palo categorise as ssl and then stop processing App-ID to get the best of both worlds?

Thanks!

Re: App-ID for known services being blocked and not categorised as "ssl".

LAYER_8 — Fri, 10 Sep 2021 17:50:33 GMT

From a security posture perspective, this is a bad idea. Attackers have C2 beacons regularly encrypted down SSL tunnels now. Writing a pervasive rule to allow anything that uses that underlying technology is a risk that enterprise networks should not assume. Verify first, trust second.

What you should do is go to the objects tab, search ssl and SSL in the searchbar. Of the applications that come up, edit the tags and add "sanctioned" to the ones you want.

After you have chosen your sanctioned applications, go down 2 menus of the objects tab and create a filter to allow all sanctioned apps.

Then you are able to write an outbound policy allow rule to all the filtered/sanctioned apps you wish.

Re: App-ID for known services being blocked and not categorised as "ssl".

Sean65 — Fri, 10 Sep 2021 16:22:13 GMT

Hi Slick, thanks for the response.

The issue we're having is for outbound Intenet browsing which this is, we don't know what applications are required until they are blocked, then requiring a support ticket, analysis and a firewall change. The turn around for this is 5 days minimum, that is significant impact.

The business is putting pressure on us to simply allow TCP:443 outbound in which case we lose all L7 capability.

Any further thoughts?

Re: App-ID for known services being blocked and not categorised as "ssl".

LAYER_8 — Fri, 10 Sep 2021 17:54:01 GMT

You could write a pervasive allow 443 rule but use it for only a few days, and then use the policy optimizer in the bottom left to see which apps touch the rule, and then click the checkbox to add them to a sanctioned rule as well.

Re: App-ID for known services being blocked and not categorised as "ssl".

Sean65 — Mon, 13 Sep 2021 08:38:13 GMT

While that sounds like something which we *could* do, that doesn't meet our needs.

To restate the requirement: We need to allow ALL SSL based applications by default outbound for Internet browsing but still have the firewall perform L7 inspection to ensure the traffic is actually SSL (like it would do for unknown SSL based applications).

Re: App-ID for known services being blocked and not categorised as "ssl".

LAYER_8 — Mon, 13 Sep 2021 17:53:32 GMT

What you are asking for is not in the Palo Alto ethos. The product is built for positive enforcement, meaning there are no explicit allows. We found this to be too big a security risk, and for zero trust, most companies are moving toward a positive enforcement model.

So if you wrote a rule that was "allow any application from internal to external on any port" for a day or two, you could then use policy optimizer to restrict the function down to L7 policies because it would default allow, and then you could segment which traffic flows belong to which rule.

The L7 and content inspection is always happening, even on an allow all rule (as long as you attach a security profile group to the traffic), the APP-ID for the rule occurs as well.

But you're asking for something to be done that the industry is actively trying to move away from in which Palo pioneered. It's possible by doing the above.