Configuration Articles

Featured Article
Note: Customers are not required to modify firewall policies unless the conditions outlined below are in use.   Issue : Firewalls are typically required to act as an ALG to create pinholes for SIP sessions and provide address translation capabilities. The "sip" App-ID creates such pinholes that allow the protocol to function seamlessly when it encounters the firewall. When a SIP server communicating using static NAT in one zone (source) emits traffic that is destined to a SIP server in another zone (destination), the firewall creates a pinhole that consequently allows a host using SIP within destination zone to communicate with the SIP server in the source zone. For example, a SIP server P.Q.R.S in the source zone static NAT-ed to D.E.F.G:5060, dispatches a SIP REGISTER message to an external SIP server A.B.C.D:5060 in the destination zone. This results in the firewall creating a pinhole that accepts incoming connections from hosts in the destination zone addressed to D.E.F.G:5060.   Resolution : The "sip-trunk" App-ID disables the creation of such a pinhole when used in conjunction with an Application Override. This App-ID is meant to be used between known SIP servers. The source and destination addresses of these servers must be specified, with their SIP traffic overridden to the new "sip-trunk" App-ID. In addition, given the lack of a pinhole, administrators are required to configure a Security Policy rule that permits traffic between these servers in the reverse direction. This allows the SIP servers to communicate with each other, and the absence of the pinhole prevents the firewall from accepting inbound connections from other hosts within the destination zone.     Requirements:   SIP Registrar or Proxy is statically NATed through the firewall SIP trunking is being used in the environment Content database version 518 or higher   Note that switching to sip-trunk requires clearing all active SIP traffic, so the process will be disruptive to users.  We recommend scheduling an outage or maintenance window after hours to implement these changes.  Also, any ports other than udp/5060 that are in use by your SIP server will need to be added to the new policies accordingly.   How to Implement:   1) Create an Application Override policy with a rule that allows sip-trunk traffic on udp/5060 as well as any other ports that are being used by this application in your environment.  The policy can be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.   2) Create a Security policy that blocks the “sip” application. 3) Create a Service object that contains udp/5060 as well as any other ports required by your SIP servers. 4) Create Security policies beneath the rule created in the previous step that allows the “sip-trunk” application.  This policy should be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.     5) Create a static bi-directional source NAT policy.   6) Commit policy. 7) Clear all current SIP sessions from the CLI ( NOTE : this command will disrupt all active SIP traffic): > clear session all filter application sip   😎 Clear the application cache from the CLI: > clear appinfo2ip
View full article
ggarrison ‎08-28-2018 10:32 AM
36,484 Views
0 Replies
3 Likes
How to Allow a Single YouTube Video and Block All Other Videos In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube.  Please follow these steps to accomplish this.   Steps Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use. URL Filtering Profile detail showing Streaming-Media being set to Block. Create a Custom URL Category from Objects > Custom Objects > URL Category. Your Custom URL Category must include the following entries: *.youtube.com *.googlevideo.com www.youtube-nocookie.com www.youtube.com/yts/jsbin/ www.youtube.com/yts/cssbin/ ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  Go to your URL Filtering profile, in the Allow list add the following URL's: www.youtube.com/watch?v=hHiRb8t2hLM *.googlevideo.com ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com . Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile. URL filtering profile detail showing the allowed URL List. Commit and test.   Thanks to Milvaldi for the contribution. owner: jdelio    
View full article
‎07-12-2018 11:51 PM
97,564 Views
28 Replies
Note: The following article outlines additional steps required in the event an app-override needs to be enabled for an active FTP connection. It is not required if app-override is not needed in the first place.     Overview FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.   Details Active FTP: In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)   Passive FTP: From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)   Steps The Palo Alto Networks firewall supports application overrides and helps with applications that have special requirements. To configure override for the FTP protocol the following could apply: Create a custom application that uses the FTP ports: 20,21 and the dynamic ports greater than 1024. Create an Application override Rule Make sure that there is a Security policy allowing the newly defined traffic  ( custom-ftp ) otherwise traffic for this application will be dropped.
View full article
bbolovan ‎08-24-2017 02:34 AM
30,256 Views
7 Replies
6 Likes
Here is the FileType list with Threat-ID as of May, 2017. *The Description for each File Type does not included on this page due to contents size limitation.   ID Name File Type Name Min Version Scope File Type Direction 52000  Microsoft PowerPoint  ppt  1.0.1  session  both 52001  Microsoft Word DOC File  doc  1.0.1  session  both 52002  Microsoft Excel XLS File  xls  1.0.1  session  both 52003  Microsoft Cabinet (CAB)  cab  1.0.1  protocol-data-unit  both 52004  ZIP  zip  1.0.1  protocol-data-unit  both 52005  TAR  tar  1.0.1  protocol-data-unit  both 52006  HTA (HTML Application)  hta  1.0.1  session  both 52007  Windows Program Information File (PIF)  pif  1.0.1  protocol-data-unit  both 52008  Windows Registry (REG)  reg  1.0.1  protocol-data-unit  both 52009  Windows Batch (BAT)  bat  1.0.1  session  both 52010  Windows Script (WSF)  wsf  1.0.1  session  both 52011  Microsoft PowerPoint PPT File  ppt  1.0.1  protocol-data-unit  both 52012  Microsoft Word DOC File  doc  1.0.1  protocol-data-unit  both 52013  Microsoft Excel XLS File  xls 5.0.0  protocol-data-unit  both 52014  GZIP  gzip  1.0.1  protocol-data-unit  both 52015  RAR  rar  1.0.1  protocol-data-unit  both 52016  Z Compressed  zcompressed  1.0.1  protocol-data-unit  both 52017  Perl Script  pl  1.0.1  protocol-data-unit  both 52018  Shell Script  sh  1.0.1  protocol-data-unit  both 52019  Windows Dynamic Link Library (DLL)  dll  1.0.1  protocol-data-unit  both 52020  Windows Executable (EXE)  exe  1.0.1  protocol-data-unit  both 52021  Adobe Portable Document Format (PDF)  pdf  1.0.1  protocol-data-unit  both 52022  Microsoft Word 2007 DOCX File  docx  1.0.1  protocol-data-unit  both 52023  Microsoft PowerPoint 2007 PPTX File  pptx  1.0.1  protocol-data-unit  both 52024  Microsoft Excel 2007 XLSX File  xlsx  1.0.1  protocol-data-unit  both 52025  Pretty Good Privacy Format (PGP)  pgp  1.0.1  protocol-data-unit  both 52026  Encrypted ZIP  encrypted-zip  1.0.1  protocol-data-unit  both 52027  GZIP  gzip  1.0.1  protocol-data-unit  download 52028  Microsoft Excel Encrypted XLS File  encrypted-xls  1.0.1  protocol-data-unit  both 52029  Plan Text File  txt  1.0.1  session  download 52030  TIF File  tif  1.0.1  protocol-data-unit  both 52031  MDB File  mdb  1.0.1  protocol-data-unit  both 52032  CSV File  csv  1.0.1  session  download 52033  Microsoft MSOFFICE  msoffice  1.0.1  protocol-data-unit  both 52034  Encrypted RAR File  encrypted-rar  1.0.1  protocol-data-unit  both 52035  Encrypted PGP File  pgp  1.0.1  protocol-data-unit  both 52036  MDI File  mdi  1.0.1  protocol-data-unit  both 52037  PXE File  pxe  1.0.1  protocol-data-unit  both 52038  Microsoft Word Encrypted DOC File  encrypted-doc  1.0.1  protocol-data-unit  both 52039  Microsoft Encrypted PowerPoint File  encrypted-ppt  1.0.1  protocol-data-unit  both 52040  Windows Batch (BAT)  bat  5.0.0  session  download 52041  Activex File  ocx  1.0.1  session  both 52042  Activex CAB File  ocx 2.0.0  protocol-data-unit  download 52043  WRI File  wri  2.1.0.8  protocol-data-unit  both 52044  RTF File  rtf  1.0.1  protocol-data-unit  both 52045  MPEG File  mpeg  2.1.0.8  protocol-data-unit  both 52046  WMV File  wmv  1.0.1  protocol-data-unit  both 52047  FLV File  flv  1.0.1  protocol-data-unit  both 52048  AVI File  avi  1.0.1  protocol-data-unit  both 52049  Quicktime MOV File  mov  1.0.1  protocol-data-unit  both 52050  Download All Files Except TXT HTML and pictures  all  1.0.1  protocol-data-unit  download 52051  All File Upload  all  1.0.1  protocol-data-unit  upload 52052  All File Download  all  1.0.1  protocol-data-unit  download 52053  PCL File  pcl  1.0.1  protocol-data-unit  both 52054  MP3 File  mp3 3.1.0  session  both 52055  PBM File  pbm  2.1.0.8  protocol-data-unit  both 52056  PSD File  psd  2.1.0.8  protocol-data-unit  both 52057  SGI File  sgi  2.1.0.8  protocol-data-unit  both 52058  Softimage PIC File  softimg  2.1.0.8  protocol-data-unit  both 52059  XPM File  xpm  1.0.1  protocol-data-unit  both 52060  Microsoft PE File  PE  1.0.1  protocol-data-unit  both 52061  AI File  ai  1.0.1  protocol-data-unit  both 52062  SVG File  svg  1.0.1  protocol-data-unit  both 52063  SHK File  shk  1.0.1  protocol-data-unit  both 52064  Maya MB File  mb  2.1.0.8  protocol-data-unit  both 52065  Maya ASCII File  ma  1.0.1  protocol-data-unit  both 52066  DPX File  dpx  2.1.0.8  protocol-data-unit  both 52067  CIN File  cin  2.1.0.8  protocol-data-unit  both 52068  EXR File  exr  1.0.1  protocol-data-unit  both 52069  RLA File  rla  2.1.0.8  protocol-data-unit  both 52070  RPF File  rpf  2.1.0.8  protocol-data-unit  both 52071  GIF File  gif  1.0.1  protocol-data-unit  both 52072  JPEG File  jpeg  1.0.1  protocol-data-unit  both 52073  PNG File  png  1.0.1  protocol-data-unit  both 52074  BMP File  bmp  1.0.1  protocol-data-unit  both 52075  IFF File  iff  2.1.0.8  protocol-data-unit  both 52076  WMF File  wmf  1.0.1  protocol-data-unit  both 52077  EMF File  emf  1.0.1  protocol-data-unit  both 52078  EPS File  eps  1.0.1  protocol-data-unit  both 52079  DXF File  dxf  1.0.1  protocol-data-unit  both 52080  MIF File  mif  1.0.1  protocol-data-unit  both 52081  Unknown File  unknown  3.0.0  protocol-data-unit  both 52082  Microsoft Word 2007 IRM Encrypted DOCX File  encrypted-docx  1.0.1  protocol-data-unit  both 52083  Microsoft Excel 2007 IRM Encrypted XLSX File  encrypted-xlsx  1.0.1  protocol-data-unit  both 52084  Microsoft PowerPoint 2007 IRM Encrypted PPTX File  encrypted-pptx  1.0.1  protocol-data-unit  both 52085  Microsoft Word 2007 Encrypted DOCX File  encrypted-docx  1.0.1  protocol-data-unit  both 52086  Encrypted Microsoft Office 2007 File  encrypted-office2007  1.0.1  protocol-data-unit  both 52087  Encrypted Microsoft Office 2007 File  encrypted-office2007  1.0.1  protocol-data-unit  both 52088  ISO File  iso  2.1.0.8  protocol-data-unit  both 52089  MSI File  msi 1.0.0  protocol-data-unit  both 52090  Torrent File  torrent 1.0.0  protocol-data-unit  both 52091  N/A         52092  CMD Windows Script File  cmd 1.0.0  session  both 52093  LZH File  lzh 1.0.0  protocol-data-unit  both 52094  LNK File  lnk  2.1.0.8  protocol-data-unit  both 52095  DWG File Detected  dwg  2.1.0.8  protocol-data-unit  both 52096  GIF File Upload  gif-upload  2.1.0.8  protocol-data-unit  upload 52097  JPEG File Upload  jpeg-upload  2.1.0.8  protocol-data-unit  upload 52098  BMP File Upload  bmp-upload  2.1.0.8  protocol-data-unit  upload 52099  RealMedia File  rm  2.1.0.8  protocol-data-unit  both 52100  PNG File Upload  png-upload 3.1.0  protocol-data-unit  upload 52101  Mac Application Tar Detected  macapp 3.1.0  protocol-data-unit  both 52102  Mac Application Zip Detected  macapp 3.1.0  protocol-data-unit  both 52103  Mac MPKG Detected  mpkg 3.1.0  protocol-data-unit  both 52104  MP4 Detected  mp4 3.1.0  protocol-data-unit  both 52105  MKV Detected  mkv 3.1.0  protocol-data-unit  both 52106  AVI DIVX Video Detected  avi-divx 3.1.0  protocol-data-unit  both 52107  AVI XVID Video Detected  avi-xvid 3.1.0  protocol-data-unit  both 52108  Android Package File Detected  apk 3.1.0  protocol-data-unit  both 52109  Graphic Data System File Detected  gds 3.1.0  protocol-data-unit  both 52110  Tanner Database File  tdb 3.1.0  protocol-data-unit  both 52111  OrCAD DSN File  dsn 3.1.0  protocol-data-unit  both 52112  EDIF File  edif 3.1.0  protocol-data-unit  both 52113  EDIF File  edif 3.1.0  protocol-data-unit  both 52114  VBScript Encoded File  vbe 5.0.0  session  both 52115  ISO File  iso 3.1.0  protocol-data-unit  both 52116  JAR File  jar 3.1.0  protocol-data-unit  both 52117  Java Class File  class 3.1.0  protocol-data-unit  both 52118  Apple iWork Pages File  iwork-pages 3.1.0  protocol-data-unit  both 52119  Apple iWork Numbers File  iwork-numbers 3.1.0  protocol-data-unit  both 52120  Apple iWork Keynote File  iwork-keynote 3.1.0  protocol-data-unit  both 52121  CorelDRAW File  cdr 4.0.0  protocol-data-unit  both 52122  Design Web Format File  dwf 4.0.0  protocol-data-unit  both 52123  CAD STEP File  stp 3.1.0  protocol-data-unit  both 52124  CAD STEP File  stp 3.1.0  protocol-data-unit  both 52125  N/A         52126  N/A         52127  N/A         52128  Windows BAT  bat 4.0.0  session  both 52129  Windows Script  wsf 3.1.0  protocol-data-unit  both 52130  Encrypted PDF  encrypted-pdf 3.1.0  protocol-data-unit  both 52131  HTML Application  hta 4.0.0  session  both 52132  Android Package File Detected  apk 5.0.0  protocol-data-unit  both 52133  CMD Windows Script File  cmd 5.0.0  session  both 52134  N/A         52135  Android Package File Detected  apk 3.1.0  protocol-data-unit  both 52136  JPEG File Upload  jpeg-upload 3.1.0  protocol-data-unit  upload 52137  PNG File Upload  png-upload 3.1.0  protocol-data-unit  upload 52138  BMP File Upload  bmp-upload 3.1.0  protocol-data-unit  upload 52139  GIF File Upload  gif-upload 3.1.0  protocol-data-unit  upload 52140  Microsoft Word 2007 DOCX File  docx 3.1.0  protocol-data-unit  both 52141  Microsoft Excel 2007 XLSX File  xlsx 3.1.0  protocol-data-unit  both 52142  Microsoft PowerPoint 2007 PPTX File  pptx 3.1.0  protocol-data-unit  both 52143  Email Link  Email-link  6.1.0  protocol-data-unit  both 52144  Windows Screen Saver SCR File  scr 5.0.0  session  both 52145  Adobe Shockwave Flash File  flash 4.0.0  protocol-data-unit  both 52146  N/A         52147  N/A         52148  Windows Help File  hlp 3.1.0  protocol-data-unit  both 52149  Multi-Level Encoding  Multi-Level-Encoding 7.0.0  protocol-data-unit  both 52150  Catpart  catpart 3.1.0  protocol-data-unit  both 52151  DMG File Detected  dmg 5.0.0  protocol-data-unit  both 52152  PKG File Detected  pkg 3.1.0  protocol-data-unit  both 52153  MACH-O File Detected  mach-o 5.0.0  protocol-data-unit  both 52154  MacOSX Universal Binaries File Detected  mach-ub 3.1.0  protocol-data-unit  both 52155  MacOSX APP File Detected  macapp 5.0.0  protocol-data-unit  both 52156  JustSystems Ichitaro Document  ichitaro 3.1.0  protocol-data-unit  both 52157  ARJ File Detected  arj 3.1.0  protocol-data-unit  both 52158  7z File Detected  7z 3.1.0  protocol-data-unit  both 52159  CPL File  cpl 3.1.0  protocol-data-unit  both 52160  CHM File  chm 7.0.0  protocol-data-unit  both 52161  REUSE  msoffice 3.1.0  protocol-data-unit  both 52162  PKG File  pkg 7.0.0  protocol-data-unit  both 52163  Microsoft Word XML File  doc 5.0.0  protocol-data-unit  both 52164  Microsoft Excel XML File  xls 5.0.0  protocol-data-unit  both 52165  Microsoft Word Open XML File  docx 5.0.0  protocol-data-unit  both 52166  PY File  PY 5.0.0  protocol-data-unit  both 52168  MIME HTML File  mht 5.0.0  protocol-data-unit  both 52169  TAR  tar 5.0.0  protocol-data-unit  both 52170  MP3 Detected  mp3 5.0.0  protocol-data-unit  both 52171  Microsoft Word 2007 DOTM File  dotm 5.0.0  protocol-data-unit  both 52172  Windows Script  wsf 5.0.0  protocol-data-unit  both 52173  Deflate64 Compressed ZIP  deflate64-zip 5.0.0  protocol-data-unit  both 52174  ACE File  ace 5.0.0  protocol-data-unit  both 52175  ELF File  elf 5.0.0  protocol-data-unit  both 52177  WEBM File  webm 5.0.0  protocol-data-unit  both 52178  MPEG-TS File  mpeg-ts 5.0.0  protocol-data-unit  both 52179  7ZIP File  7zip 5.0.0  protocol-data-unit  both  
View full article
nrice ‎06-30-2017 04:22 AM
57,331 Views
16 Replies
2 Likes
In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.   To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.   Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake). In most cases, the application will be recognized before receiving that amount of data.   If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."
View full article
nbilly ‎12-21-2016 07:51 AM
3,999 Views
0 Replies
5 Likes
Symptoms Security Rule has been configured to block Facebook-Chat Application, in the traffic log firewall seems to successfully blocked the Facebook-Chat; however, the user can continue to use Facebook-chat over the web. Diagnosis When we use Facebook-Chat in a web page, the web client will open multiple sessions towards the server. Since Facebook integrated chat and messages into one service, half of the sessions will have a chat structure and the other half will have a mail structure. So in order to successfully and consistently block Facebook chat, you  need to block both facebook-chat and also facebook-mail applications. Solution Step 1. Enable decryption. For more information about Decryption, please refer to "How to Implement and Test SSL Decryption".   Step 2. Configure your security rule to block "facebook-chat" and "facebook-mail" applications.   Step 3. Create another security rule that allows "facebook-base" application. Add this security rule below the rule created in Step 2 above.   With the above configuration, the user still can browse to Facebook, but will not be able to use Facebook-Chat.
View full article
hsanada ‎09-30-2016 05:05 PM
3,757 Views
0 Replies
To enable Vulnerability Scanning Vulnerability scanning is automatically enabled if the custom app is based off a "base app" like HTTP or SMB and also based on the settings of that policy's vulnerability/spyware profile. Note: The spyware checkbox in the screenshot is a non-operational.     To enable Anti-Virus Scanning Anti-Virus Scanning for Custom-Application is done by setting the Virus-Identification flag to "yes" as follows:   Multi-Vsys Platforms : # set vsys vsys1 application myapp virus-ident yes   Single Vsys Platforms : # set application test virus-ident   owner: akawimandan
View full article
Ameya-Kawimandan ‎09-11-2015 02:00 AM
4,102 Views
0 Replies
Issue:   Palo Alto Networks has an application for ping, but not for traceroute - how can I block traceroute?   Resolution:   The challenge with traceroute is that different OS's and applications implement the traceroute function differently.  The standard Windows traceroute run the MS-DOS prompt which sends ICMP echo request packets to the destination, incrementing the IP TTL for each hop.  The standard Unix traceroute, on the other hand, sends UDP packets using ports 33434-33534 to the destination incrementing the IP TTL for each hop.   With this behavior in mind, to block Windows traceroutes, create a security rule using the "ping" application.  To block Unix traceroutes use a custom application created for UDP ports 33434-33534.   To differentiate between ping and traceroute for Windows it appears that the ICMP packets used by Windows for traceroutes have "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" in the ICMP payload.  Conversely, ICMP packets used by Windows for ping have "61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" in the payload.  A custom application could be created based on this information, but there would be no guarantee Microsoft or the person running the traceroute would not change the data contained within the payload.   There may be other available applications that implement differently.  To block those, capture the traceroute traffic to observe its behavior and then create a custom application for it.   owner:  jwoodburn
View full article
panagent ‎09-02-2015 07:16 AM
8,069 Views
0 Replies
Overview This document demonstrates how to create a security policy to deny high-risk (5) file-sharing applications that leverage peer-to-peer technology under the general internet category. Steps Under the Policies Tab, select "Security" and then add a security rule. Enter the necessary information under the General, Source, User and Destination tabs, and select the "Application" tab. Select "Add." Scroll to the bottom of the drop-down and select "Application Filter." Name the Application Filter that you want to create. Since we are interested in high-risk (5) file-sharing applications that use peer-to-peer technology, follow these instructions: Under Category column click to highlight general-internet Select file-sharing under Subcategory Technology will be peer-to-peer Risk is 5 Select "OK" to save. The Application Filter will appear in the rule. Complete the rest of the Security Policy rule. It is recommended to leave Service/Url Category as 'Any'. Action is then set to 'Deny'. By following the above steps, traffic through the firewall will be categorized by the application filter. Note: Application filters are dynamic. If a built-in category is chosen, a group can be made that is usable in rules. This will include everything that matches that category. As applications are re-categorized or as new ones are added to that category, they will be added or removed from the filter dynamically. This can potentially lead to issues because re-categorization can cause applications that were previously allowed to now be disallowed, and vice versa. With an application group, though, applications are being grouped in the same manner as a service-group or address-group. When more applications for allow or block are added, they will need to be added to the application group manually. See Also For an in-depth understanding of application dependencies in order to effectively apply the High-Risk Apps to a security policy, refer to the following document: How to Check if an Application Needs to have Explicitly Allowed Dependency Apps owner: sodhegba
View full article
sodhegba ‎07-25-2013 08:21 AM
41,003 Views
3 Replies
1 Like
Details Many well-known services such as LDAP, IMAP, POP3, SMTP, and FTP have an SSL-secured version available that runs on an alternate SSL-variant port that is different from their standard port. In all of these cases, the traffic is identified as the 'ssl' application by App-ID on the Palo Alto Networks firewall. There are a few different approaches to creating a security policy to allow these services. Some of these are discussed below: Use StartTLS which is supported by all these protocols. See http://en.wikipedia.org/wiki/STARTTLS. In this case, they will be identified as the App-ID corresponding to the protocol (ldap, imap, pop3, etc) instead of as 'ssl' and they use the standard port for the protocol rather than the SSL-variant port. Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; FTPS:TCP/990. Create custom apps based on your server certificate. See example for this on DevCenter: Custom Application for SSL-based traffic Enable decryption, and these will be identified as the corresponding App-ID: smtp, imap, pop3, etc. See Also How to Implement SSL Decryption owner: savasarala
View full article
SRA ‎04-19-2013 06:50 PM
29,123 Views
5 Replies
2 Likes
Overview This document describes how to block Google Chrome on a Palo Alto Networks device. Steps Note: For this process to work for HTTPS sites, SSL decryption needs to be configured. To configure SSL decryption, see How to Implement SSL Decryption. From the Objects tab, navigate to Applications and select "Add": In the Application window, fill out the required categories. These are: Name, Category, Subcategory, and Technology. Choosing a Parent App and Risk is not required. An example is shown below: On the Signature tab, enter a name for the signature and (optionally) a comment for the signature. Select "Transaction" for the scope. Add an OR condition with the following settings and select OK:     Operator:    Pattern Match     Context:     http-req-headers     Pattern:      Chrome/ Press OK again and commit your change. Security policies can now reference the custom application. Once a security policy is added to block the custom application, "Chrome", new sessions will be blocked. owner: cstancill
View full article
nrice ‎01-15-2010 03:30 PM
16,340 Views
5 Replies
Details Command to clear the application cache: > debug dataplane reset appid cache Command to show running application cache: > show running application cache APPID CACHE IP[PORT]                 PROTO  APPID     COUNT     THRESHOLD  HITS      TIMEOUT 172.28.18.1[22]          6      37        1         16         0         28     HEURISTIC CACHE SRC[PORT]                DST[PORT]                PROTO  APPID     COUNT     VALID Command to stop application caching for newly created sessions: > set application cache no    Application cache is set to be no Command to enable application caching: > set application cache yes    Application cache is set to be yes Note: Every application needs to be examined, which may affect throughput on the Palo Alto Networks device. Command to verify application caching is disabled: > show running application setting           Application setting:           Application cache             : no           Supernode                     : yes            Heuristics                    : yes           Cache Threshold               : 16           Bypass when exceeds queue limit: yes           Traceroute appid              : yes           Traceroute TTL threshold      : 30           Use cache for appid           : no           Unknown capture               : on           Max. unknown sessions         : 5000           Current unknown sessions      : 0           Application capture           : off Current APPID Signature    Signature Usage            : 21  MB (Max. 32  MB)       TCP 1 C2S               : 15335  states, in offloader       TCP 1 S2C               : 4824   states, in offloader       TCP 2 C2S               : 2312   states, in offloader       TCP 2 S2C               : 728    states, in offloader       UDP 1 C2S               : 12832  states, in offloader       UDP 1 S2C               : 3288   states, in offloader       UDP 2 C2S               : 636    states, in offloader owner: panagent
View full article
nrice ‎01-15-2010 03:06 PM
5,945 Views
0 Replies
Ask Questions Get Answers Join the Live Community