Getting Started: Custom applications and app override

by on ‎01-27-2016 04:53 AM - edited on ‎12-07-2016 11:52 AM by (40,858 Views)

What more can my firewall do? Custom applications and app override!

 

Depending on your environment, you may have custom-created, proprietary applications or traffic you simply want to identify by a custom name. You may be running a web service that's normally identified by the Palo Alto Networks firewall as web-browsing, making it harder for you to create reporting, or you may want to apply QoS to a specific set of connections that use a common App-ID.

 

To get around these issues, you can create custom App-IDs that match a certain signature in the traffic or use application override to simply force certain sessions to be identified as an application you configure.

 

A signature-based custom app relies on the App-ID engine to positively identify a signature in the packets passing through the firewall. If you are trying to identify a proprietary application that uses predictable or easily identifiable signatures, you can create a custom application using regex to help identify the signature. 

 

Example: I have a web service running internally on the URL www.example.com. Since this is a regular website, the firewall will identify it with the 'web-browsing' App-ID.

 

Signature-based custom App-ID

 

2016-01-26_17-15-24.png

 

When we take a closer look at a packet capture from the traffic heading to the server, an identifiable signature can be the hostname.

 

packetcapture

 

To create a custom app, head over to the applications and create a new application. Set the Application properties and if applicable, set the Parent App: the Parent App is used when the traffic is currently already being identified as an application. This will help App-ID properly report the custom app. In case of a proprietary application that is currently not identified by App-ID, the Parent App can be left as 'none.'

 

custom app

 

In the Advanced tab, you can set the ports or protocol this application will be using and also if this application can be scanned for threats. There are, however, a few caveats that are important to consider:

 

  • If the custom application has scanning options unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.
  • If the custom app does not have a parent app that can be identified by regular App-ID or is used in an app override (see below), it cannot be scanned for threats.

 custom app

 

In the signatures tab, you can add all the signatures required to identify the application. The App-ID engine can be instructed to look for potential signatures in a single transaction (a single packet from client to server or server to client) or in the entire session (a signature or signatures could be spread over several packets in either direction). There are plenty of options available on where to look for signatures and in which context. Multiple signature sets can also be added in an 'AND' or 'OR' condition.

 

If all this seems a little confusing, don't worry--I've added several helpful articles at the end that will explain more in-depth what can be achieved with custom signatures. For now, we'll keep it simple and look for a signature in the http request host header:

 

custom app

My signature will simply be the host name in regex friendly format. This means there needs to be a backward slash in front of the dot to signify the dot is a character and not a wildcard. I'll also set the Qualifier to http-method GET to indicate the signature can be found in the GET request.

 

custom app

 

Once this custom application is committed, the firewall will start identifying all connections to my web server as the new application:

custom app log

 

We can now create reports based on the custom application and monitor specifically what kind of traffic is hitting our site.

 

 

The above steps will work perfectly if the application can be easily identified, but sometimes it may not be necessary or even possible to look into a datastream and identify a certain signature.

 

Application Override

 

Application override forcibly bypasses the AppID process and sets a session to match a manually configured Application name. Any sessions processed like this will not be scanned by parallel processing and will be offloaded to fastpath.

app override

 

For most use cases, we recommend creating a simple custom application with as few attributes as possible, as the app override will bypass scanning or signature detection. It will simply identify a session as the custom application and take no further action. This can be a very simple but powerful tool to help identify internal applications and improve throughput as the session is offloaded to hardware immediately, but please consider the security implications.

 

app override

 

If you're wondering what else you can do with custom apps or signature-based detection, please take a look at the following articles that show you more ways to leverage signatures to identify applications or block types of traffic.

 

How to configure a Custom App-ID

Tips & Tricks - Custom Vulnerability

 

 

I hope you liked this article; feel free to leave a comment below.

If you want to see more of these, please check out the landing page of the Getting Started series!

 

Till next time,

Tom

Comments
by jezkerwin
on ‎01-08-2018 06:27 PM

If you have a more complex web application, do you include signatures for each of the HTTP methods that the app may use?

eg. GET, PUT, POST, DELETE, etc?

by
on ‎01-09-2018 02:08 AM

Hi @jezkerwin

 

The more qualifiers you are able to add, the better as they will help prevent false positives. (although mixing these would probably require an 'or' condition between the signatures)

 

by JaimeCastelan
on ‎03-09-2018 12:04 PM

What happens when I create a custom app and then over time App-ID is able to identify it should I use both? will there be an overlap or what will be best practices for this situation?

Thanks in advance!

by
on ‎03-13-2018 12:25 AM

hi @JaimeCastelan

 

Good question!

the 'traditional' answer would be that App-ID would simply add the new application in the mix and there could be some competition, depending on how well you created your custom app. But results would be 'interesting' at best since now you'd have two apps for the same flow. The recommendation would be to use the built-in one as hopefully our development team did their homework and created the app better than you did your custom app, but you'd still be able to use your custom app

 

There are 2 developments that allow you to choose and prepare more easily: first, we added the ability to disable 'new' app-IDs, so that in this scenario, if you preferred to stick with your custom app, you could simply disble the new one we provided and keep doing things like before without the new app interfering

 

second: starting from PAN-OS 8.1 we've added even more control over new app-IDs so you wouldn't run into an issue

by kpotru
on ‎03-27-2018 10:04 AM

So we created App Override policy since we can't create a custom Application with the pcap files that we recived from the Application owner so what kind of false-positives are we looking for the Application where we don't have a matching pattern and just used port's, source & destination IP's.

 

Thanks in advance!

by
on ‎03-27-2018 12:54 PM

hi @kpotru

 

As soon as you create an app override, you no longer get any more pattern matching, you simply classify everything that matches the policy as the custom app.

 

The advantage is you can skip the pattern bit, disadvantage is if you do have a mix of a built in application and a custom one, everything will match the custom one

by TimmyLamar
on ‎03-31-2018 09:57 PM

Hi @reaper

 

Is it possible to create custom app ID for Non-HTTP traffic without Data?

 

its a crypto mining application - pointing to jp.nicehash.com so i assume i must use TCP payload, but i cant capture the data

 

i managed configure app override currently, but i am struggle to getting the information from the pcap for the suitable content of the pcap.

 

so what i have is, destination IP and port.

 

just curious, if i can do it without app override?

 

 

by
on ‎04-03-2018 12:08 AM

hi @TimmyLamar

 

Is it being identified as something right now or is it unknown-tcp?

App-ID will try to match the most specific app, so a custom app without signatures will only match if it is more specific than 'unknown'

Are you able to share your captures?

Alternatively you can reach out to support an request they have an official app created

by kpotru
on ‎04-03-2018 07:21 AM

hi @TimmyLamar

 

It is being identified as unknown-tcp.

Yes I can but they are huge each one is of 700MB.

We tried to reacah out to Support fro Real App-id but there is no ETA when they will be making a real one they usually release with the major releases and it will be taking months.

For now we tried using App Override policy and traffic is showing up the application but need to do some more testings


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors