Custom Application and TAC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom Application and TAC

L4 Transporter

Hello 

 

Can I request to TAC to create custom application or I have to do by my self? I found this but I guest it is for public application not for internal.

http://researchcenter.paloaltonetworks.com/submit-an-application/

2 accepted solutions

Accepted Solutions

Community Team Member

Hi,

 

You will have to create it yourself.  

The form is to submit a new public application.

 

This might be useful :

Custom-Application-Signatures

 

Cheers !

-Kim

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

app override is used to prevent the AppID engine from kicking in

 

it is not necessary to use this for a custom application to work, but can be useful in certain scenarios:

-AppID wants to identify an application and you need it to be something else (there could be a custom application mechanism that conflicts with how it's parent application is supposed to work)

-the app is unknown so AppID will not be useful

 

for unknown applications, app override is not mandatory, it simply preserves resources by disabling AppID for a particular session

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

18 REPLIES 18

Community Team Member

Hi,

 

You will have to create it yourself.  

The form is to submit a new public application.

 

This might be useful :

Custom-Application-Signatures

 

Cheers !

-Kim

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hello Kiwi

 

So custom application is requried only when I see the unknown applicaiton in the logs? In which case I will create the app override?

Right, custom applications are only needed if your traffic is unknown to the PA.

 

Application override is different.  This prevents the upper level inspections and you would use this when the PA is incorrectly categorizing your traffic as a known application.  You override the categorization using these rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you steve. But in PA documents and video,  I saw they for unknown application, they are using appoverrride 

Do you have the link for the video handy so I can understand the context of what they are doing there?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello Steve

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Po...

 

An application override could be used wilth custom internal applications that use non-standard port numbers or internal applications classified by the firewall as "unknown" for which custom definitions have been created

@pulukas Could you please see this video, they are saying for unknown-tcp and udp you can use app-override 

https://www.youtube.com/watch?v=CwXdWJpw0UY

app override is used to prevent the AppID engine from kicking in

 

it is not necessary to use this for a custom application to work, but can be useful in certain scenarios:

-AppID wants to identify an application and you need it to be something else (there could be a custom application mechanism that conflicts with how it's parent application is supposed to work)

-the app is unknown so AppID will not be useful

 

for unknown applications, app override is not mandatory, it simply preserves resources by disabling AppID for a particular session

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper thank you. So for unknown applicaiton, either we can do app-override or make custom application. If traffic matches with built in application (worngly) and custom application as well, then PA will match with what? I mean builtin application or custom application?

 

Appreciated your reply

the normal flow would be like this (for example, there is a web-app you want to identify)

 

you create a custom app that matches a certain signature

 

without app override

AppID will start processing a new session

at the http/1.1 it will likely first identify web-browsing,

in one of the next packets, your signature would be hit and the app would change into your custom application

 

 

with app override:

a new session is received matching the app override rule, custom application is assigned, no logic is checked (basically like a traditional firewall without intelligence)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thanks. Sorry for my ignorance but need to ask, so for my custom signature to work, I need to explicityly allow web-browing in security rule along with custom app or no need? 

no problem!

 

if your custom app relies on web-browsing, yes (eg you're hosting a website and want it identified as a specific app)

if your custom app is something written from scratch, not running on top of a known protocol: no

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper so it means for all custom web applications, web-browsing has to be allowed with custom application?

yes, but it doesn't need to be in the same rule, as long as web-browsing is allowed somewhere in the policy, it will work

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2 accepted solutions
  • 5695 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!