Re: Application based Policy approach

L2 Linker

Re: Application based Policy approach

While moving from a service based to application based policy approach how to tackle the dependent applications for the specific application. for instance consider a app "webex-base" which is dependent on apps"rtcp, rtp-base, ssl, stun, web-browsing".

"Webex-base" has a standard-port tcp/443,80,1270, udp/8070,8090,9000.

when i see the logs it shows that when the session is occuring only these applications are being seen webex-base(on 443 (one of the stadard ports no confilt) ),stun-9000( which is one of the standard ports of the webex base and stun uses tcp/3478, udp/3478 as standard ports) so does that implies that depedent applications use standard -port range of the webex-base application?

so, application field =webex-base, services filed =application-default in the rule for webex-traffic.
now how do we address dependent applications so that we can keep track of these non-conventional apps?
do we need to provide additional rules to provision it for the app to work properly without break? 


Community Manager

Re: Application based Policy approach

applications are identified in stages

when a SYN packet arrives on the firewall, it is hard to identify the app purely on the port, the next few packets may contain a certificate or some payload that identifies the session as web-browsing or a connection to a certain site for which an app exists so app-id will switch the 'unknown-tcp' app that has been applied to the session to this point, with the application that best matches  the packets/payload seen so far, but many applications then start behaving moredifferently depending on what (l7) application was actually started, like webex (you could be doing voice, screenshare, fileshare, ... all which have their own signature) so then the App-ID engine will switch the application for the session yet again to the final app


all the steps to get to a final identification are dependencies: if you block web-browsing, you will not be able to get to an application that runs on a regular web platform, for example, because the session will first behave like normal web browsing before the app itself is activated (look at the tcp packets sequentially)

so the dependencies will need to be allowed in a policy somewhere for the webex app to work


other dependencies may simply be needed to form a control channel which is not directly related to the process explained above



there is one caveat: some dependencies may not be necessary for your specific deployment, so you can leave them out of the security policy, but you will keep getting the dependency warning during the commit. this is because the dependencies are needed to allow the full suite of an application's functionality: eg. your webex deployment may not require RTCP


hope this helps


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!