Custom App-ID for NCAA March Madness 2019

L4 Transporter

Our Palo Alto Networks custom App-ID puts the ball in your court where you call the shots on how much and how good March Madness gets. Block all the shots, create a QoS policy, or simply gain visibility into your traffic mix. 

 

Continuing our great tradition to publish custom apps for March Madness, the annual college basketball tournaments, we provide the following custom signatures:

 

Signature Identifies the NCAA March Madness...
ncaa2019-mml

Live landing page on PCs and mobile apps

ncaa2019-video

 

Live video stream for PCs and mobile devices (including replay streams)

 

 

The NCAA is streaming all the games via its March Madness Live page/app. You can use the above three custom signatures to identify this traffic and control the policies accordingly.

 

Recommended Best Practices

 

  1. To block the NCAA March Madness Live application/player:
      • Create a security rule to 'deny' ncaa2019-mml.
  2. To enforce QoS policing (permit the NCAA March Madness Live application but rate limit the video streams):
      • Create a security rule to 'allow' ncaa2019-mml and ncaa2019-video applications.
      • Create a QoS policy for ncaa2019-video.                                                          
  3. To simply gain visibility into the usage of March Madness Live in your traffic mix:
      • When you import the custom-defined applications to your firewall and commit, make sure the traffic is 'allowed' by the security policies.

Refer PAN-OS Administrator's guide to configure QOS (Admin Guide)

 

You can use the CLI "show session all filter application ncaa2019-mml" or "show session all filter application ncaa2019-video" to check all sessions matching the apps created.

 

Graphic of Terminal ssh -l admin

 

Import Custom Apps to Your Firewall

 

1. On the Objects tab, under Applications, click the Import button at the bottom bar (marked below).

 

2. Upload the custom application XMLs provided.

 

Screenshot of PA-VM showing import application

 

3. Verify that the new custom app shows up in the Applications pane.

 

Screenshot of PA-VM showing App-IDs

 

4. Update your Security Policy to allow the custom Application (if you want to whitelist the custom App).

 

Screenshot of PA-VM to update policy

 

Anonymous Proxy tools such as Ultrasurf could be used by the end user to watch the video content. In such cases, for the firewall to identify the proxy tool, SSL decryption policy has to be configured on the firewall. Once the SSL decryption is enabled, App-ID engine will identify the proxy tools. If the security policy does not have those App-IDs whitelisted, the firewall will block the session.

 

If SSL Decryption is not enabled, and, if the traffic is encrypted, then, it is not possible to use "http-req-host-header" or "http-req-uri-path" decoder contexts in your custom Application. Without SSL decryption, the firewall will not be able to look into the contents of HTTP Request header. 

 

If SSL Decryption is not enabled, then, "SSL-req-client-hello" and/or "ssl-rsp-certificate" SSL decoder contexts could be used in the custom application. Using the SSL decoder contexts, one can extract SNI (Server Name Indication) or CN (Common Names) from the certificates exchanged during the SSL handshake process to identify traffic. 

 

One can use different tools such as Decryption Port Mirroring (admin guide) or Chrome Developer Tools (devtools) or mitmproxy to capture and analyze packets to NCAA site and build Custom Applications.

 

Please refer to the article (Creating Custom Application) on how to use different context to create Custom Applications.  

 

Miscellaneous:

 

Chrome Developer Tools

 

Screenshot of Chrome Developer Tools

 

Wireshark (packet captured via Decrypt Port Mirror)

 

Screenshot of Wireshark showing Decrypt Port Mirror

 

 

3,541 Views
Ask Questions Get Answers Join the Live Community
Labels