I know that FW can control application correctly when has L7 signature.
But my customer want to create application signature more simple and easy for internal trust server.
For example, There is 192.168.1.1 web-server. He want to create app "our-web-server" for destination IP and port are 192.168.1.1:80.
Can FW be available?
Solved! Go to Solution.
Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow, Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).
The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.
Hope that helps!
For your requirement to make a simple and new app to find if this is your web-server traffic yes we can do. Create a new APP with the required destination tcp/udp port. Assign this new app in the Application override rule where we provide the source and destination IPs.
By doing so for any further traffic matching the IP's and ports in the App the traffic would match the application override rule and the sessions would show the new app. ( considering the old sessions are timed out, if not we can clear the old ones )
The prior update by kprakash was to intend that the IPs cannot be added in a signature pattern as such.
Hope this helps !
Have you looked at the Applocation Override feature in the Policies Tab? What you have described sounds like a perfect match.
Thank you very much Karthik , Phoenix and skrall.
I knew that all traffic for some tcp/udp port(tcp/80) will be port base custom application(our-web-server) when create port base custom application without application-override.
I have tested and seen that port base custom application without override is not generated application in traffic log.
The port base custom application with override is generated application is traffic log.
I got it. As Karthik mentioned, L3&L4 check and L7 check are probably different hardware chip.
Where is the application signature? in signature math hw engine? or in security process?
The Signature matching is done on a different chip or performed on a software thread depending on the platforms. The security policy check for the traffic happens prior to the signature check, and its performed on another chip ( octeon ), before the traffic is fed to the signature matching engine ( chip )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!