How to create a custom application for SSL traffic using the SNI field

Printer Friendly Page

 

This article discusses how PAN-OS can leverage the SNI (Server Name Indication) field to create a custom application.

 

What is SNI (Server Name Indication)?


SNI is an extension to the SSL/TLS protocol that indicates what hostname the client is attempting to connect to.
SNI inserts the requested hostname (website address) within the TLS handshake (the browser sends it as part of ‘Client Hello’), enabling the server to determine the most appropriate SSL certificate to present to the browser.

 

 

When to use SNI to create custom applications


In cases where the SNI field is consistent, it can be reliably used to identify the application.

A custom application can be defined and used to control the SSL traffic without the need for SSL decryption.

 

 


Example of creating a custom application

 

The following example shows how to create a custom application for YouTube where the SNI field is seen as www.youtube.com (as an example only).

 

Analyze the traffic for consistency of the SNI field in the Client Hello:

 

Snip20160118_28.png


Navigate to Objects > Application > Add.


1. Define the general properties of the application:

 

youtube sni.png

 

 

 

2. Define the port and protocol as TCP and 443 respectively, since SSL uses protocol TCP and port 443 for communication.


Define the other Timeout settings as required:

 

Snip20160117_24.png

 

 

3. The last and the most important part of application definition is to select the context as 'ssl-req-client-hello' and
    define the required pattern as seen in the client hello SNI field:

 

Snip20160117_25.png

Snip20160117_26.png

 

 

Note:

 

  • We recommend analyzing the traffic thoroughly before creating an application signature to ensure reliability of the custom application.
  • It is possible for the same web service to use different SNIs on different occasions, hence all possibilities must take that into consideration.
  • The SNI field uses the hostname the client is attempting to connect to the server, hence any change in the request from the client may cease to match custom application.

 

Comments

"Pattern" needs to be entered as hex.  Pull the SNI hex from pcap and enclose with /x in the pattern field. 

At least on PAN-OS 8.0.3 there is no need to use in HEX format. Simply the name in text format.

1. Why do we need to provide the port as part of custom app definition? Isnt this part of service?

2. Why wouldnt you make parent-app as ssl in this case? If not, can it get detected as ssl instead of youtube_sni?

hi @prprpr !

1. The port will help if you use 'application-default' in the security policy to prevent these connections from being established on strange and abnormal ports (eg. there could be a session on port 3543, but do you want to allow this, as it is suspicious): this is best practice but not required

2. In this scenario you actually would set the parent app, I'll update the screenshot to reflect that: the parent app is used when the application can match both the parent (ssl) and the child (YouTube SNI) but AppID will pick the child as the most exact match. Normally you would only leave the parent app empty if there is no matching parent