Custom App-ID for NCAA March Madness 2019

L4 Transporter

Our Palo Alto Networks custom App-ID puts the ball in your court where you call the shots on how much and how good March Madness gets. Block all the shots, create a QoS policy, or simply gain visibility into your traffic mix. 


Continuing our great tradition to publish custom apps for March Madness, the annual college basketball tournaments, we provide the following custom signatures:


Signature Identifies the NCAA March Madness...

Live landing page on PCs and mobile apps



Live video stream for PCs and mobile devices (including replay streams)



The NCAA is streaming all the games via its March Madness Live page/app. You can use the above three custom signatures to identify this traffic and control the policies accordingly.


Recommended Best Practices


  1. To block the NCAA March Madness Live application/player:
      • Create a security rule to 'deny' ncaa2019-mml.
  2. To enforce QoS policing (permit the NCAA March Madness Live application but rate limit the video streams):
      • Create a security rule to 'allow' ncaa2019-mml and ncaa2019-video applications.
      • Create a QoS policy for ncaa2019-video.                                                          
  3. To simply gain visibility into the usage of March Madness Live in your traffic mix:
      • When you import the custom-defined applications to your firewall and commit, make sure the traffic is 'allowed' by the security policies.

Refer PAN-OS Administrator's guide to configure QOS (Admin Guide)


You can use the CLI "show session all filter application ncaa2019-mml" or "show session all filter application ncaa2019-video" to check all sessions matching the apps created.


Graphic of Terminal ssh -l admin


Import Custom Apps to Your Firewall


1. On the Objects tab, under Applications, click the Import button at the bottom bar (marked below).


2. Upload the custom application XMLs provided.


Screenshot of PA-VM showing import application


3. Verify that the new custom app shows up in the Applications pane.


Screenshot of PA-VM showing App-IDs


4. Update your Security Policy to allow the custom Application (if you want to whitelist the custom App).


Screenshot of PA-VM to update policy


Anonymous Proxy tools such as Ultrasurf could be used by the end user to watch the video content. In such cases, for the firewall to identify the proxy tool, SSL decryption policy has to be configured on the firewall. Once the SSL decryption is enabled, App-ID engine will identify the proxy tools. If the security policy does not have those App-IDs whitelisted, the firewall will block the session.


If SSL Decryption is not enabled, and, if the traffic is encrypted, then, it is not possible to use "http-req-host-header" or "http-req-uri-path" decoder contexts in your custom Application. Without SSL decryption, the firewall will not be able to look into the contents of HTTP Request header. 


If SSL Decryption is not enabled, then, "SSL-req-client-hello" and/or "ssl-rsp-certificate" SSL decoder contexts could be used in the custom application. Using the SSL decoder contexts, one can extract SNI (Server Name Indication) or CN (Common Names) from the certificates exchanged during the SSL handshake process to identify traffic. 


One can use different tools such as Decryption Port Mirroring (admin guide) or Chrome Developer Tools (devtools) or mitmproxy to capture and analyze packets to NCAA site and build Custom Applications.


Please refer to the article (Creating Custom Application) on how to use different context to create Custom Applications.  




Chrome Developer Tools


Screenshot of Chrome Developer Tools


Wireshark (packet captured via Decrypt Port Mirror)


Screenshot of Wireshark showing Decrypt Port Mirror



Ask Questions Get Answers Join the Live Community