Can I create custom application with destination IP and TCP/UDP port?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can I create custom application with destination IP and TCP/UDP port?

L4 Transporter

Hello,

I know that FW can control application correctly when has L7 signature.

But my customer want to create application signature more simple and easy for internal trust server.

For example, There is 192.168.1.1 web-server. He want to create app "our-web-server" for destination IP and port are 192.168.1.1:80.

Can FW be available?

Thanks.

1 accepted solution

Accepted Solutions

L5 Sessionator

Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow,  Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).

The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.

Hope that helps!

Best regards,

Karthik

View solution in original post

6 REPLIES 6

L5 Sessionator

Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow,  Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).

The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.

Hope that helps!

Best regards,

Karthik

Hello Cheon,

For your requirement to make a simple and new app to find if this is your web-server traffic yes we can do. Create a new APP with the required destination  tcp/udp port. Assign this new app in the Application override rule where we provide the source and destination IPs.

By doing so for any further traffic matching the IP's and ports in the App the traffic would match the application override rule and the sessions would show the new app. ( considering the old sessions are timed out, if not we can clear the old ones )

The prior update by kprakash was to intend that the IPs cannot be added in a signature pattern as such.

Hope this helps !

L4 Transporter

Have you looked at the Applocation Override feature in the Policies Tab?  What you have described sounds like a perfect match.

SKrall

Thank you very much Karthik , Phoenix and skrall.

I knew that all traffic for some tcp/udp port(tcp/80) will be port base custom application(our-web-server) when create port base custom application without application-override.

I have tested and seen that port base custom application without override is not generated application in traffic log.

The port base custom application with override is generated application is traffic log.

I got it. As Karthik mentioned, L3&L4 check and L7 check are probably different hardware chip.

Where is the application signature? in signature math hw engine? or in security process?

Good luck.

why don't you try a custom application base on the host header value as signature?

Capture.PNG.png

The Signature matching is done on a different chip or performed on a software thread depending on the platforms. The security policy check for the traffic happens prior to the signature check, and its performed on another chip ( octeon ), before the traffic is fed to the signature matching engine ( chip ) 

  • 1 accepted solution
  • 5783 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!