Management Articles

Featured Article
After matching a custom application, the Palo Alto Networks firewall cannot create the PREDICT session by ALG, which might result in  'file transfer failed on ftp data connection.'  We have a solution.
View full article
tsakurai ‎02-01-2018 08:23 AM
5,883 Views
0 Replies
  This article discusses how PAN-OS can leverage the SNI (Server Name Indication) field to create a custom application.   What is SNI (Server Name Indication) ? SNI is an extension to the SSL/TLS protocol that indicates what hostname the client is attempting to connect to. SNI inserts the requested hostname (website address) within the TLS handshake (the browser sends it as part of ‘Client Hello’), enabling the server to determine the most appropriate SSL certificate to present to the browser.     When to use SNI to create custom applications In cases where the SNI field is consistent, it can be reliably used to identify the application. A custom application can be defined and used to control the SSL traffic without the need for SSL decryption.     Example of creating a custom application   The following example shows how to create a custom application for YouTube where the SNI field is seen as www.youtube.com (as an example only).   Analyze the traffic for consistency of the SNI field in the Client Hello:   Navigate to Objects > Application > Add. 1. Define the general properties of the application:         2. Define the port and protocol as TCP and 443 respectively, since SSL uses protocol TCP and port 443 for communication. Define the other Timeout settings as required:       3. The last and the most important part of application definition is to select the context as 'ssl-req-client-hello' and     define the required pattern as seen in the client hello SNI field:       Note:   We recommend analyzing the traffic thoroughly before creating an application signature to ensure reliability of the custom application. It is possible for the same web service to use different SNIs on different occasions, hence all possibilities must take that into consideration. The SNI field uses the hostname the client is attempting to connect to the server, hence any change in the request from the client may cease to match custom application.  
View full article
syadav ‎11-29-2017 12:28 AM
17,063 Views
4 Replies
1 Like
The following New App-IDs are planned for being released with the "Application and Threat Content Update" of September 19, 2017. The purpose of this document is to give customers a preview of the New App-IDs a week before they are released.    Please click on the picture below to zoom in for details.    
View full article
msandhu ‎09-12-2017 02:11 PM
10,640 Views
1 Reply
Overview Prior to PAN-OS 5.0, in order to allow an application with dependencies, the security policy required all dependencies to be allowed as well.   Since PAN-OS 5.0, applications for some protocols can be allowed without need to explicitly allow their dependencies. The Palo Alto Networks firewall is able to do this for some applications if it can identify the application within a pre-determined point in the live session. If the application is coded by the developer in a way that the Palo Alto Networks device cannot determine the application by the pre-determined point, then the application can be blocked by one of the security rules in the list. For these applications an explicit allow for the list of dependencies is needed.   For the purpose of explaining the process, the following terminology is usually applied: Enabler app: The App-ID that the session initially matches (e.g. web-browsing) Dependent app: The App-ID that the session later matches (e.g. facebook-base)   Note: Always check the dependencies for the applications if planning to allow them. Also, check the implicitly used applications for the dependent application, so that the correct policies can be constructed.   Details For the above mentioned applications that can be correctly identified at a pre-determined point in the live session, the firewall implicitly will allow the enabler app. For this reason the firewall uses the “uses-apps” and “implicit-uses-apps” part of the content updates metadata for the given application. For applications that have a list of apps in the “implicit-uses-apps”, those applications will be implicitly allowed and no separate security rule is needed to allow them. For applications that do not have a list of apps in the “implicit-uses-apps” and have list of apps in the “uses-apps” part of the application definition, there is a need to explicitly allow them (the enabler applications) so that the dependent application is allowed. This can be added in a separate security rule, or in the same rule that is allowing the dependent app.   The application definition can be checked to see if there is a need to explicitly allow the enabler applications. Run with the following command from configuration mode: > configure Entering configuration mode [edit]                       # show predefined application <name-of-app>   Steps As examples for this we will use the "facebook-base" and the "office-on-demand" applications.   Facebook-base Application definition:     # show predefined application facebook-base facebook-base {   ottawa-name facebook;   category collaboration;   subcategory social-networking;   technology browser-based;   alg no;   appident yes;   virus-ident yes;   vulnerability-ident yes;   evasive-behavior no;   consume-big-bandwidth no;   used-by-malware yes;   able-to-transfer-file yes;   has-known-vulnerability yes;   tunnel-other-application yes;   prone-to-misuse no;   pervasive-use yes;   per-direction-regex no;   deny-action drop-reset;   run-decoder no;   cachable no;   references {     Wikipedia {       link http://en.wikipedia.org/wiki/Facebook;     }   }   default {     port tcp/80,443;   }   use-applications [ ssl web-browsing];   tunnel-applications [ facebook-apps facebook-chat facebook-code facebook-file-sharing facebook-mail facebook-posting facebook-rooms facebook-social-plugin facebook- video facebook-voice instagram-base];   implicit-use-applications [ ssl web-browsing];   applicable-decoders http;   risk 4;   application-container facebook; } [edit]                                                         To allow facebook-base, only the security policy that has the application facebook-base is needed. There is no need to allow the ssl and web-browsing because they are implicitly allowed based, on t he following part in the definition of the application:   " use-applications [ ssl web-browsing];"   " implicit-use-applications [ ssl web-browsing];" For facebook-base there is only the allow-facebook security rule that allows only facebook-base. There are no explicit rules to allow web-browsing and ssl. On the contrary, for the purpose of the test, a deny rule for web-browsing and ssl is used:   The logs show that facebook is allowed:   Office-on-demand Application definition:   # show predefined application office-on-demand office-on-demand {   category business-systems;   subcategory office-programs;   technology browser-based;   alg no;   appident yes;   virus-ident yes;   spyware-ident yes;   file-type-ident yes;   vulnerability-ident yes;   evasive-behavior no;   consume-big-bandwidth yes;   used-by-malware no;   able-to-transfer-file yes;   has-known-vulnerability yes;   tunnel-other-application no;   prone-to-misuse no;   pervasive-use yes;   per-direction-regex no;   deny-action drop-reset;   run-decoder no;   cachable no;   file-forward yes;   is-saas yes;   references {     "Office on Demand" {       link http://office.microsoft.com/en-us/support/use-office-on-any-pc-with-office-on-demand-HA102840202.aspx;     }   }   default {     port tcp/80;   }   use-applications [ ms-office365-base sharepoint-online ssl web-browsing];   applicable-decoders http;   risk 3;   application-container ms-office365; } [edit]                                                 For office-on-demand, the "use-applications [ ms-office365-base sharepoint-online ssl web-browsing];"  can be seen, and there is no implicit-use-applications  list with the same applications. This will mean that all of the applications in the list need to be explicitly allowed, so that all the features of office-on-demand will work correctly. The traffic can be seen as allowed for web-browsing and for office-on-demand. The application started as web-browsing and was correctly identified by the Palo Alto Networks DFA, and thus changed to "office-on-demand".   If web is denied in a security policy, the connections can be seen as not established, because the rule to allow the office-on-demand application will never be hit.   owner: ialeksov
View full article
ialeksov ‎08-16-2017 12:24 PM
69,990 Views
20 Replies
6 Likes
Background: Epic is an electronic medical record (EMR) application used by healthcare providers to manage patient records.  Through cooperation with Epic and customer volunteers, we at Palo Alto Networks are happy to announce the plan for release of the new Epic App-ID which will provide visibility into Epic application traffic on healthcare provider networks.      Prior to the existence of the Epic App-ID, Palo Alto Networks firewalls categorized Epic CF traffic as "unknown TCP".  With the Epic App-ID it will become a lot easier for customers to just safely enable Epic without the need of creating port-based policies or allowing unknown-tcp traffic on a set of destination ports.   Release Plan: In the week of 17th of July 2017, Palo Alto Networks will be adding a new App-ID named 'Epic' intended to simplify the safe enablement of the Epic CF protocol used by the EMR application developed by Epic (About EPIC).    "epic" App-ID will be released in 2 parts:   June 2017 - "Epic" placeholder App-ID - Release time frame (Week of June 19th, 2017) July 2017 - Functionally enable the "Epic" App-ID - Release time frame (Week of July 17th, 2017)    "Epic" will be added as placeholder app and will be delivered in the week of June 19th, 2017. This App-ID, delivered as a placeholder, allows our customers to make any necessary policy changes to their firewalls ahead of time. Placeholder App-ID gives enough time for the customers to plan and add the App-IDs to their security policy.    Frequently Asked Questions   Q: Why did Palo Alto Networks make this change? A: Based on our interaction with a lot of our customers in the healthcare space and the evolving threat landscape a request for an Epic App-ID has come up often. Being cognizant of that we engaged customers and Epic to develop an App-ID for Epic so that all our customers can safely enable the Epic application.   Q: What policy changes will be required? A: If you are a customer who is using an App-ID based policy and the App-ID named unknown-tcp to allow Epic related traffic, you will be required to change this policy to allow Epic App-ID.    Q: What if I am using port-based policies to allow traffic related to Epic ? A: If you are using port-based policies to safely enable Epic traffic you will not be affected by this change. However we highly recommend that you start using the Epic App-ID to safely enable traffic related to Epic.   Q: What happens if unknown-tcp is not replaced by Epic  App-ID in the security policies? A:  In the week of July 17, 2017, Epic App-ID will be functionally enabled. Any Epic traffic will be identified as Epic and no longer identified as unknown-tcp.  Any security policy allowing or blocking unknown-tcp  App-ID will no longer apply to Epic traffic as it is now identified as Epic.  
View full article
vsathiamoo ‎06-05-2017 08:43 PM
29,157 Views
2 Replies
4 Likes
Overview This document describes how to write a Security Policy to block Adobe Flash by default, but allowing Flash on certain websites. Note: This will work unless the domain uses a dynamic IP address.    Steps Create address objects for example.com and example.org. Go to Objects > Address and add the addresses. For each address object, select type FQDN and enter the domain: Note: If example.com matches three dynamic IPs, then refresh the FQDN (default every 30 mins) accordingly. Create an Address Group. Go to Objects > Address Group and add the address objects for example.com and example.org.: Go to Policies > Security to create a Security Policy that includes the newly created address groups in the Destination Address. Include "Flash" as the application, and then set the action to "allow". Place this Security Policy at the top. Under the Security Policy above, create another Security Policy denying "Flash". It is important this needs to be the second rule from the top to block all other access to Flash.   owner: pchanda
View full article
pchanda ‎02-15-2017 08:49 AM
5,782 Views
0 Replies
In the week of 29 August 2016, Palo Alto Networks released changes to App-ID for Microsoft Office 365. To allow our customers to prepare for this upcoming change and avoid any problems, Palo Alto Networks is releasing the following placeholder App-IDs and decode contexts as part of Application and Threat Update version 596. To ensure that existing Office 365 policies continue to work after the week of 29 August 2016, we suggest customers read and fully understand this document.
View full article
msandhu ‎01-17-2017 10:23 AM
159,933 Views
29 Replies
6 Likes
Overview Application-default ports are the default destination ports used by various application and are commonly used in configuring security-policies.   Details The following command is used to determine the application-default ports for any application: # show predefined application <application>   In the example below, the default destination ports used by gmail-base is displayed in the default section: > configure Entering configuration mode [edit] # show predefined application gmail-base gmail-base {   ottawa-name gmail;   category collaboration;   subcategory email;   technology browser-based;   description "Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well as via POP3 or IMAP4 p rotocols.";   alg no;   appident yes;   virus-ident yes;   spyware-ident yes;   file-type-ident yes;   vulnerability-ident yes;   evasive-behavior no;   consume-big-bandwidth no;   used-by-malware yes;   able-to-transfer-file yes;   has-known-vulnerability yes;   tunnel-other-application yes;   prone-to-misuse no;   pervasive-use yes;   per-direction-regex no;   timeout 1800;   deny-action drop-reset;   data-ident yes;   run-decoder no;   cachable no;   file-forward yes;   references {     Wikipedia {       link http://en.wikipedia.org/wiki/Gmail;     }   }   default {     port tcp/80,443,993,995,465,587;   }   use-applications [ imap pop3 smtp ssl web-browsing];   tunnel-applications [ gmail-chat gmail-drive gmail-enterprise google-buzz goog le-talk-base];   implicit-use-applications web-browsing;   applicable-decoders http;   risk 4;   application-container gmail; } The same information can be found on the Web UI. Navigate to Objects > Applications. The screenshot below shows the ports for gmail-base, as the Standard Ports values:   owner: sdurga
View full article
sdurga ‎11-29-2016 04:15 AM
21,724 Views
3 Replies
1 Like
The week of 01-December-2015, Palo Alto Networks plans to add a new App-ID named “google-base”, intended to simplify the safe enablement of Google applications and streamline policy configuration. Please follow the FAQ below to learn more about this change and its impact on existing firewall policies.  
View full article
EmmaF ‎10-05-2016 06:42 PM
60,215 Views
7 Replies
11 Likes
Overview There are some cases where a custom application will undergo an application shift into another application.   Resolution To prevent an application shift on the custom application, set the proper parent app in the custom application options. The parent app will vary depending on the custom application. From the WebGUI, go to Objects > Application > Select the custom application and in the Properties section set Parent App to the appropriate application. For example: Setting the parent app to web-browsing using a signature to match specific HTTP headers.   owner: sspringer
View full article
sspringer ‎09-14-2016 04:25 AM
2,840 Views
0 Replies
Overview Consider the following custom application and application override rule.  We have configured a custom application for TCP ports 80 and 443.  Application override is happening for traffic to port 80,443 from DMZ to L3-Untrust.       Consider the following decryption rule: Here we are decrypting all traffic coming from DMZ going to L3-Untrust.     If you try to access some https website you will find that the traffic is not being decrypted because of the application override, even if you are doing decryption for everything.     When application override is configured, the Palo Alto Networks firewall stops processing at Layer 4.  
View full article
pankaku ‎08-17-2016 03:15 PM
1,667 Views
0 Replies
Symptoms Under some circumstances, the SIP traffic being handled by the Palo Alto Networks firewall, might cause issues such as one-way audio, phones de-registering, etc.   Solution Create an Application Override Policy for SIP, following the steps below:   1. From Policies > Application Override, click Add in the lower left to create a new Policy Rule: Create new Application Override rule. 2. Next, under the Source tab, click Add to add the source zone where the SIP servers are present. App override screen - source zone. 3. Under the Destination tab, click Add to add both the destination zone and subnet or IP address of the VoIP provider's servers.  App override - Destination zone and address. 4. Under the Protocol/Application tab, either TCP or UDP is valid and ports can also vary depending on VoIP vendor used. For Application, use sip. Protocol - Application tab showing the options. 5. Here you can see what the Application Override rule looks like. Application Override rule view Apart from creating an application override policy for SIP applications, we would also need to check: Security policies for both inbound and outbound traffic to and from the internal SIP server. Source and Destination NAT for the SIP servers. If ALG is disabled. If not, follow the article link below to disable it.   How to Disable SIP ALG  
View full article
shganesh ‎07-01-2016 11:54 AM
18,979 Views
4 Replies
Issue   We know that SSL decryption is supposed to give us visibility of traffic that would otherwise be encrypted. Therefore, we'd expect decrypted traffic to be identified as the underlying applications, such as web-browsing, facebook-base or other, but not as SSL. However, in some scenarios, seeing application SSL as decrypted is expected behaviour. This article covers one such scenario and explains why a decrypted SSL session identified as application SSL is, in this case, considered OK.    In the below example, we were trying to access the following website:  https://my.vmware.com/web/vmware/login   From the session table, we can see that the session is marked as decrypted (*) admin@Faith-PFW-X1> show session all filter ssl-decrypt yes -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 25472 ssl ACTIVE FLOW *NS 192.168.16.48[60668]/Zone-Trust2016/6 (10.193.90.32[61785]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443]) 25475 ssl ACTIVE FLOW *NS 192.168.16.48[60670]/Zone-Trust2016/6 (10.193.90.32[37349]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443]) 25478 ssl ACTIVE FLOW *NS 192.168.16.48[60674]/Zone-Trust2016/6 (10.193.90.32[43548]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443]) 25474 ssl ACTIVE FLOW *NS 192.168.16.48[60671]/Zone-Trust2016/6 (10.193.90.32[31994]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443]) 25479 google-base ACTIVE FLOW *NS 192.168.16.48[60675]/Zone-Trust2016/6 (10.193.90.32[15527]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443]) 25538 web-browsing ACTIVE FLOW *NS 192.168.16.48[60710]/Zone-Trust2016/6 (10.193.90.32[17185]) vsys1 68.232.35.180[443]/Zone-UnTrust (68.232.35.180[443]) 25473 ssl ACTIVE FLOW *NS 192.168.16.48[60669]/Zone-Trust2016/6 (10.193.90.32[35255]) vsys1 216.58.212.163[443]/Zone-UnTrust (216.58.212.163[443])   A deeper look into the session shows that we have application type identified as SSL.   admin@Faith-PFW-X1> show session id 25473 Session 25473 c2s flow: source: 192.168.16.48 [Zone-Trust2016] dst: 216.58.212.163 proto: 6 sport: 60669 dport: 443 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 216.58.212.163 [Zone-UnTrust] dst: 10.193.90.32 proto: 6 sport: 443 dport: 35255 state: INIT type: FLOW src user: unknown dst user: unknown start time : Tue Jun 21 11:37:52 2016 timeout : 15 sec total byte count(c2s) : 796 total byte count(s2c) : 4759 layer7 packet count(c2s) : 8 layer7 packet count(s2c) : 8 vsys : vsys1 application : ssl rule : Trust 2016 To Internet session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : NAT Trust 2016 To Internet(vsys1) layer7 processing : completed URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/3 egress interface : ethernet1/6 session QoS rule : N/A (class 4) tracker stage firewall : TCP FIN tracker stage l7proc : proxy timer expired end-reason : tcp-fin   Explanation When the session is decrypted, App-ID lookup is triggered on the decrypted flow to help identify the session application. The firewall needs to read enough data packets in order to identify the application. After the SSL handshake is completed, we would need to read a maximum of 2000 bytes of data to determine if the application is unknown or not. When the decoder is detected, e.g. web browsing, it may take more than 5 packets to determine the actual application.  In most cases, the application will be recognized before receiving that amount of data.   Looking at the packet capture output below, we see that the communication ended prior to the exchange of application data that would have enabled the firewall to identify the application.      This would also apply if regular tls/ssl is wrapped around some custom app: the underlying app would be "unknown-tcp" if it weren't encrypted, but because of the encryption, app-ID has already identified ssl and will keep that as the app.    We hope you find this information useful. Please leave a thumbs up or a comment in the section below.   See also How much data is necessary to recognize an application  
View full article
fmopiy ‎06-28-2016 06:16 AM
15,286 Views
0 Replies
4 Likes
Did you know that the Palo Alto Networks firewall verifies the checksum of the dynamic update file while we upload the file to the firewall manually?   How can you test this?   You  can test as follows:    Change the dynamic update file and try to upload it to the firewall. You will get the following error:       Note that the file can be changed in notepad ++.  Open that file in notepad++  then select the open view in HEX. Change any value and save the file.     If you undo the changes  you made in the file and then try to upload, you will be able to upload that file to firewall.
View full article
pankaku ‎06-22-2016 04:39 PM
1,165 Views
0 Replies
This is an article to help understand the release note for Application and Threat Content version 575. With this version Palo Alto Networks has made a metadata change to improve virus detection capabilities for these apps and should have no effect on how these applications are identified.    Frequently Asked Questions:   1. Will this change effect how the following App-IDs are identified? Answer: No this change will not alter how the following App-IDs are identified. This is not a signature change for any of the following App-IDs   2. What is metadata ? And what is a metadata change? Answer: App-ID metadata are attributes of an App-ID that define its characteristics and capabilities. For instance an application timeout or a risk value is an example of metadata for an App-ID. A metadata change is when one of  these attributes is changed to improve application capabilities.    3. What metadata change was made for the following App-IDs? Answer: The metadata change made for the following App-IDs is to improve virus detection and reporting capabilities for the following App-IDs.    4. Will this metadata change have any impact on my current configuration like application filters? Answer: No this change will have no impact on the current configuration.   2ch 2ch-posting 51.com 51.com-bbs 51.com-games 51.com-mail 51.com-music 51.com-posting adnstream adobe-connectnow adobe-echosign adobe-meeting-remote-control afreeca aim-express amazon-aws-console amazon-instant-video ameba-blog-posting apple-vpp arcgis asana asf-streaming asproxy atmail att-locker autodesk360 avaya-webalive-desktop-sharing avoidr badoo baidu-webmessenger base-crm bbc-iplayer beamyourscreen beats-music bebo-mail bet365 blogger-blog-posting blokus bluejeans boldchat-logmein boxnet boxnet-consumer-access boxnet-editing boxnet-enterprise-access boxnet-uploading brighttalk buzzsaw callpilot camo-proxy campfire carbonite cbs-video cgi-irc channel4 chatroulette chinaren chinaren-apps chinaren-chat chinaren-mail chrome-remote-desktop circumventor classmates clubbox cnn-video concur constant-contact convo convo-chat cooltalk dabbledb dailymotion dcinside dcinside-posting deezer digg-posting disqus docusign dostupest dotvpn ebuddy elastic-search elluminate emc-documentum-webtop evony eyejot ezpeer facebook facebook-apps facebook-chat facebook-posting facebook-rooms facebook-social-plugin fc2-blog-posting fcc-speed-test firefox-update flixster fotki freecast freeetv friendfeed friendster friendvox fuze-meeting fuze-meeting-desktop-sharing gifboom gogobox google-analytics google-buzz google-cache google-calendar google-calendar-enterprise google-cloud-print google-docs-editing google-drive-web google-finance-posting google-hangouts google-hangouts-audio-video google-hangouts-chat google-lively google-location-service google-maps google-play google-plus google-plus-email google-safebrowsing google-translate google-translate-auto google-translate-manual google-video gotoassist gyao hi5 highrise hootsuite howardforums-posting http-audio http-video hulu hulu-posting hyves hyves-games hyves-mail hyves-music icq2go iheartradio iloveim im-plus imeet imgur imo insightly-crm instan-t-webmessenger intuit-quickbase iqiyi issuu jango jaspersoft jira join-me jotspot-editing kaixin-chat kaixin-mail kaixin001 kanban-tool khan-academy kino koolim labnol-proxy laconica last.fm lastpass letv libero-video linkedin linkedin-apps linkedin-intro linkedin-mail linkedin-posting live365 livelink liveperson livestream lokalisten lotuslive lotuslive-meeting lotuslive-meeting-apps-sharing magister mail.ru-moimir mail.ru-webagent mcafee-epo-admin me2day meebome meetup meetup-email meetup-forum meevee mega megaproxy megavideo meinvz mekusharim meldium messengerfx meta4 metacafe mgoon mibbit minecraft minus mixi mlb.tv morningstar-posting motleyfool-posting ms-exchange-admin-center ms-lync-online-apps-sharing ms-office365 ms-virtualserver msn-money-posting msn-webmessenger msn2go mymarkets myspace-video napster nate-video nbc-video netbackup netbotz netflix-streaming netspoke new-relic nextmedia-video niconico-douga ning ning-apps ning-mail nomadesk noteworthy-admin odnoklassniki odnoklassniki-messaging okta omegle onelogin onepagecrm ontv ooyala oracle-forms orb paltalk-express pandora pandora-tv panos-web-interface party-poker pathview pentaho photobucket phweet pingone pinterest pivotaltracker plaxo plex plugoo-widget pogo powow powow-file-transfer proofhub proxeasy proxylocal psiphon puffin pullbbang-video quora radiusim ragingbull-posting rally-software rdio readytalk readytalk-chat readytalk-desktop-sharing renren renren-apps renren-chat renren-music renren-posting rightscale rover rtmpt ruckus salesforce samsung-updates sap-jam sap-jam-uploading sbs-netv schmedley screencast secret secure-access securemeeting seesmic sentillion service-now sharepoint-blog-posting shutterfly signnow silverlight sina-webuc sina-weibo sina-weibo-posting slacker smugmug socialtv solarwinds solarwinds-npm solarwinds-sam speedtest stagevu stocktwits stocktwits-posting streamaudio studivz stumbleupon sugar-crm svtplay t-online-mail techinline tidaltv tokbox torch-browser torch-browser-games torch-browser-music tudou tuenti tumblr tv4play tvb-video twitch twitpic twitter twitter-posting usermin userplane ustream vbulletin-posting veetle veohtv vevo viadeo vimeo vkontakte vkontakte-chat vkontakte-mail vnc-http vtunnel vyew war2glory watch-abc watchdox weather-desktop webqq websocket whisper winamp-remote windows-azure wink woome workday xm-radio yahoo-blog-posting yahoo-calendar yahoo-douga yahoo-finance-posting yahoo-notepad yahoo-web-analytics yahoo-webmessenger youku youku-uploading yourminis youtube youtube-posting youtube-safety-mode yugma zango zoho-meeting zoho-people zoho-share zwiki-editing zynga-games  
View full article
msandhu ‎04-06-2016 12:26 AM
9,960 Views
4 Replies
Issue After allowing dependent applications in a different security policy, a commit on the Palo Alto Networks firewall displays an application dependency warning: Application Dependency Warning   Resolution   Create new services at Objects > Services, as shown in the example, by identifying the ports used by dependent-app under Objects > Applications: Applications Ports used by application Citrix: Citrix ports Ports used by application Socks (dependent-app): Socks ports Go to Policy > Security and select desired policy. Click Service/URL Category. Add the services created in the previous steps. Services Sample configuration committed successfully with no warnings: No warnings For more information on enabler-app and dependent-app, refer to the following document: How to Check if an Application Needs to have Explicitly Allowed Dependency Apps   owner: hyadavall
View full article
hyadavalli ‎04-04-2016 03:23 PM
9,917 Views
0 Replies
2 Likes
Symptoms When testing multiple ISPs, single ISP failover, or real world ISP issue, all traffic works except SIP. The SIP will not re-establish between phone and server.  Diagnosis This issue is most likely caused by stale sessions due to the default timeout values for SIP traffic. When an ISP failover occurs, these SIP sessions stay alive for 1 hour (3600 seconds) and all SIP traffic is trapped by this session.   To verify, go to an SIP session in the session browser and check the timeout value. It should show something like 3600.  Solution Go to Objects > Applications > SIP. Under TCP Timeout (seconds) change from 3600 to 10. The lowest as changing it to 3 will be changed to 30 seconds.   Change the UDP timeout to 10 seconds.   This will allow the session to timeout in 10 seconds and connect to the new secondary ISP quickly. Using defaults when recovering from an ISP failover would normally result in the same. Changing the timeout allows the session to timeout for the Primary ISP to resume control just as fast.   The phones will also need to have their timeout values adjusted as well to ensure the heartbeat does keep the already established session going or new ones will constantly be created and 10 second old ones will be torn down. Clearing SIP server traffic sessions will also resolve the issue.
View full article
cagnew ‎02-18-2016 02:02 PM
3,665 Views
0 Replies
Overview   The following table provides a list of valuable resources on configuring and troubleshooting App-ID:   TITLE TYPE Configuration   Not-applicable, incomplete, insufficient data in the application field Document Tips & Tricks: How to create an application override Document How to create an application filter to block high-risk applications Document How to check if an application needs explicitly-allowed dependency apps Document How to configure the 'sip-trunk' App-ID Document How to configure a custom App-ID Video App-IDs for SSL-Secured versions of well-known services Document How to request a new App-ID Document Demonstration of Google SafeSearch custom App-ID Video   How to create an application override for FTP Document Tips & Tricks: What is application dependency? Document What is the APP-ID for Palo Alto Networks updates? Document Troubleshooting   How to validate and report application misidentification Document List of Applications Excluded from SSL Decryption Document How to clear cache for App-ID, Proxy certificates, URL, and user Document How Palo Alto Networks identifies HTTPS applications without decryption Document How to verify the application name change from Unknown-tcp/udp to actual App-ID Document Access to external web services required by dynamic updates and WildFire Document   How much data is necessary to recognize an application Document Custom App without signature not matching security rule Document Other Resources   App-ID Admin Guide Guide Applipedia Database   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.   owner: ekampling
View full article
‎01-14-2016 07:11 AM
12,896 Views
0 Replies
    google-talk-base google-lively google-finance-posting google-toolbar google-safebrowsing google-cloud-messaging google-location-service google-calendar-enterprise google-plus-base google-update google-maps google-cloud-print google-play google-voice-actions google-hangouts-base google-hangouts-chat google-hangouts-audio-video google-app-engine-uploading uberconference gmail-video-chat google-translate-base google-translate-auto google-translate-manual google-cache google-calendar-base google-picasa gmail-drive google-app-engine google-earth google-docs-editing google-docs-uploading google-plus-posting google-drive-web google-plus-email google-cloud-storage-base google-cloud-storage-upload youtube-base youtube-uploading youtube-safety-mode youtube-posting chrome-remote-desktop google-classroom google-buzz google-music google-video-base google-desktop google-docs-base gmail-base gmail-chat google-docs-enterprise splashtop-remote sina-uc-base pocketcloud livestream j umpdesktop
View full article
maurisy ‎12-01-2015 05:13 PM
36,004 Views
0 Replies
2 Likes
PAN-OS 5.0 and above   The PAN SIP (Session Initiation Protocol) application, used for controlling multimedia sessions such as VOIP, monitors the client-to-server communications to determine which ports to open for a SIP call to complete. The PAN SIP decoder acts like an ALG (Application Layer Gateway) monitoring the client-to-server exchanges to dynamically open the RTP (Real Time Protocol) and RTCP (Real Time Control Protocol) ports used to send the data.   The PAN will hold a SIP session as long as the handset used continues to send keepalives to the SIP server once it has registered. Adjusting the SIP session timeout value on the PAN will extend the time to allow the SIP handset to complete the registration and keep the established SIP session active to wait for keepalives from the handsets. If the SIP timeout is configured for 3600 seconds (1 hour), the PAN will keep the SIP connection open for 1 hour waiting for traffic or a keepalive from the SIP handset. The session in the PAN session table should be maintained if the handset is set to send keepalives every minute, for example.   As long as the SIP handset sends traffic or a keepalive within the SIP timeout, it will not have to re-register to make or receive calls. The SIP session on the PAN will be active and will open the pinhole for the data ports when a new call is initiated.   To extend the timeout value for the SIP application: Select Objects > Applications  > SIP > Session Timeout     Also there is the option to modify the Risk of the application as will be shown in ACC tab. Commit changes.   owner: ciobanu
View full article
nrice ‎09-15-2015 11:32 PM
15,382 Views
2 Replies
What is App-ID? Application Identification or App-ID is a main component of Palo Alto Networks devices. It is a patented mechanism presented only on a Palo Alto Networks device and is responsible for identifying applications traversing the firewalls independently of its port, protocol and encryption (SSL or SSH). This identification of applications ensures the success of proper Layer 7 inspections at the packet load level, compared with Palo Alto Networks Application Signatures (today over 2,000 individual App-IDs), Application Protocol Decoders, and heuristics. These elements are responsible for the visibility of this Layer 7 (L7) traffic traversing the Palo Alto Networks firewalls.   The engine behind the App-ID component is driven by a series of pre-determined contexts. These contexts use decoders to help identify applications that have been tunneled within the main application, (for example, Google Talk within Gmail). The applications are categorized and classified by the PAN-OS App-ID engine, allowing proper identification and usage of Application Groups at the security policy level.   During this classification process, Palo Alto Networks defines main applications (Parent App) and some directly dependent (or Child App), which are part of these main applications. For instance, by classifying an App, such as “uploading”, as the Parent App in a newly created App-ID that will use file transfer from the web (browser-based file-sharing). This allows the Child App to be properly identified as part of the Parent “uploading” App, and provides visibility to the appropriate application under the correct categorization.   Even though we classify, categorize, and create several known applications within PAN-OS there are still several applications that are not on the Palo Alto Networks devices database. These applications are called “unknown,” meaning unknown to PAN-OS at that time, but not known to PAN-OS. In these cases, custom App-ID signatures may be created to properly identify and classify them.   How Does App-ID Work? While traffic is traversing the Palo Alto Networks firewalls, the App-ID engine is always providing constant visibility of the logs (Monitor tab) in PAN-OS, but the sequence before that visibility looks like the following:   The traffic needs to match a security policy and allow signatures. These signatures are applied to the traffic to identify the application/applications based on the applications unique characteristics. If the application is using its standard service ports then "application default" should be used in the Services field. If non-standard ports are used, then those TCP or UDP ports will need to be specified in the Services column of the traffic rule.   If the App-ID engine determines that the traffic is being encrypted (SSL or SSH), a decryption policy needs to be in place that to allow the App-ID engine to inspect the traffic.   PAN-OS is a context-based engine. Decoders, for some known protocols, are also applied and will be responsible to identify other “embedded” applications that maybe tunneled within the protocol (for example, Gmail Google Chat used across the HTTP). Some applications may still try to evade and may not be identified through the signatures and decoders. A heuristics or behavioral analysis may be used to identify the application. If after all these steps the application is not properly identified, it will be classified as “unknown” for further analysis and proper identification from the security operations team. If it is still an unknown application, it can be blocked or not be part of an approved applications list placed in the security policy.   How Does PAN-OS Handle Unknown Applications? When working with any App-ID adoption process, whether through a Migration Tool or manually by analyzing logs, the first step on adopting App-IDs is to separate unknown to known traffic. The known traffic are the applications already identified on Palo Alto Networks firewall logs. The unknown are subject for analysis and must be properly identified. It must have an App override rule created that will be known as “fast path” if it only contains the service ports and will only use Layer 3 and 4 inspection not going to the Layer 7.   These rules can be used to provide visibility during the investigation process of the unknown traffic. Once the proper packet information is inserted and further analysis is carried on to the TCP Stream, a full Layer 7 App-ID signature may be created and will provide visibility and Layer 7 inspection with no need for an App Override rule. For traffic that could not be identified, further analysis is required. Palo Alto Networks logs may provide valid information during this process.   Knowing the reason why an application was marked as unknown-traffic is key and in PAN-OS there are two main types of classification for unknowns: Incomplete data, which happens after a handshake was executed but no data came through before the timeout. Insufficient data, which happens when after a handshake is completed, some data is sent through but not enough packets were sent to identify the application.   These cases are usually network related or some unconventional applications that communicates in a singular manner. At this point we know enough about the unknown application, but we need a packet capture (PCAP) to properly identify a pattern within a TCP Stream until this session is closed.   With the PCAP on hand, and after proper analysis, use the application within the network to replicate the traffic. Create a PCAP from the firewall to have enough detail and then establish a proper pattern that will be used by creating a Custom App-ID signature or it might be sent to Palo Alto Networks support and it will be created for you. Note:  More than a single packet stream will be needed.   A custom App-ID needs to be created with the same criteria, all other applications are inserted into the PAN-OS App-ID repository. It also needs proper characteristics, classification, category and sub-category, as well as risk level and service port and timeouts.   How to Create a PCAP Perform a PCAP in order to help identify the unknown traffic. Please see the following document and video to learn more about creating a Packet Capture: How to Run a Packet Capture Video Link : 1355   The video mentioned above demonstrates how to: Configure and run a basic PCAP from the PAN-OS UI Download the produced PCAP files Open the PCAP files for analysis   Create a Custom App-ID After you have analyzed your TCP stream and a pattern is found, that is constant and not related to the infrastructure around the payload (MAC addresses, hardware manufacture data, NIC information), we can now use this chunk of data into our new custom App-ID signature. Note: Use the hexadecimal format in your REGEX .   See Also Custom Application Signatures   owner: efurtado
View full article
EmmaF ‎09-10-2015 02:49 AM
12,123 Views
0 Replies
Symptom When viewing a session with the show session id CLI command, the security rule matched is "default" and the final line shows: "appid policy lookup deny".   Cause The behavior may be caused by a policy configured with Application Default as the service. When Application Default is selected as the service on a security rule, the Palo Alto Networks firewall will first check the application of the traffic. Once identified, it will compare the port used with the list of default ports for that application. If a match is not found, the firewall will drop the session with the "appid policy lookup deny" message.   Solution Disable the Application Default part of the rule, or modify the existing application to include the appropriate port(s).   owner: gwesson
View full article
gwesson ‎09-09-2015 12:29 AM
3,207 Views
0 Replies
Issue DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.   Cause The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.   Workaround Add "tcp-over-dns" in the Security Policy.   owner: kkondo
View full article
kkondo ‎09-07-2015 05:39 AM
3,320 Views
0 Replies
1 Like
Overview This document describes how to avoid block pages for social plugins on other websites, while keeping the original website blocked.   Issue When a social networking website, such as Facebook, is blocked by a Palo Alto Networks firewall using an application block page or url filtering page, a Facebook social plugin on other websites would also display that unwanted response block page. In the example shown below, a redirected page shows a semi-transparent block page for the Facebook social plugin. Resolution Configure two security rules: Security rule to allow facebook-social-plugin on application-default service Security rule to block the facebook application Go to Device > Response Pages > Application Block Page, check Enable Application Block Page and click OK As shown in the example below, this verifies that the primary website gets completely blocked, and at the same time other websites can load and appear readable without showing any response pages for social plugins.   owner: kadak
View full article
kadak ‎09-04-2015 03:59 PM
4,869 Views
0 Replies
Apart from the standard ICMP and UDP ports, the traceroute application in Palo Alto Networks database also contains a TCP port 80 in the list of standard ports. A TCP protocol can be also used as an underlying protocol for a traceroute application, and the fact that TCP port 80 is open in many environments for HTTP traffic, users are prone to use the port 80 when they want to bypass the firewall that tends to block traceroute traffic. This is the reason for adding the TCP port 80 in the list of Standard Ports of traceroute application.   owner: joksimovic
View full article
djoksimovic ‎09-03-2015 07:03 AM
5,787 Views
2 Replies
Symptoms Sessions associated with an application-based deny rule show some packets transmitted/received. Issue When the Palo Alto Networks firewall rules are evaluated, the security policy is evaluated two times: Checking the packet against the rule set if the application was set to ANY Checking the packet against the rule set once the application has been identified Because the application is not necessarily known in the first packets, it can take several packets to determine what the underlying application is. During this evaluation period, packets may be allowed through unless there is a rule which would deny the traffic irrespective of the application (such as denying a destination URL/IP, port number, user, etc.). When the application is determined, if a rule does not permit that application and other aspects of that session, that packet and future packets in that active session will be denied (dropped). Resolution This is expected behavior. The issue is caused by the firewall not relying on ports only, it determines the underlying application. owner: gwesson
View full article
gwesson ‎07-20-2012 10:47 AM
9,085 Views
4 Replies
1 Like
This document is written in Japanese. PAN-OS4.0で新しく追加されたボットネット検知の機能に関するホワイトペーパーです。 ボットネットの歴史、事例、種類など詳細も説明しています。 owner: kmiwa
View full article
kmiwa ‎07-14-2011 01:19 AM
2,565 Views
0 Replies
Overview From the WebGUI, under Device> Dynamic updates, there is an option to click "Revert" besides the previously installed Antivirus, Applications and threat and the URL database version. However, if newer versions of the content files are available, the previously installed version may not appear on the Web-UI. In this case, the revert operation must be executed from the CLI. Details To revert Antivirus version > request anti-virus downgrade install previous New content scheduled to be pushed via job 2 To revert Applications and Threats Content version > request content downgrade install previous New content scheduled to be pushed via job 3 To revert URL Filtering Database version > request url-filtering revert BrightCloud URL filtering database revert initiated owner: ppatel
View full article
nrice ‎06-03-2010 07:05 AM
5,495 Views
3 Replies
Application Characteristics That Determine Risk The Palo Alto Networks research team uses the application behavioral characteristics to determine a risk rating of 1 through 5. The characteristics are an integral piece of the application visibility that administrators can use to learn more about a new application that they may find on the network and in turn, make a more informed decision about how to treat the application. Note that many applications carry multiple behavioral characteristics. Application Behavioral Characteristics Prone to misuse:used for nefarious purposes or is easily configured to expose more than intended. Examples include SOCKS, as well as newer applications such as DropBoks, AppleJuice and NEOnet. Tunnels other applications:able to transport other applications. Examples include SSH and SSL as well as Hopster, TOR and RTSP, RTMPT. Has known vulnerabilities: application has had known vulnerabilities. Transfers files:able to transfer files from one network to another. Examples include FTP and TFTP as well as webmail, online filesharing applications like Megaupload and YouSendIt. Used by malware: has been used to propagate malware, initiate an attack or steal data. Applications that are used by malware include collaboration (email, IM, etc) and general Internet categories (file sharing, Internet utilities). Consumes bandwidth: application consumes 1 Mbps or more regularly through normal use. Examples include P2P applications such as BitTorrent, Xunlei and DirectConnect as well as media applications, software updates and other business applications. Evasive: uses a port or protocol for something other than its intended purpose with intent to ease deployment or hide from existing security infrastructure. With the knowledge of which applications are traversing the network, their individual characteristics and which employees are using them, Company X  is enabled to more effectively decide how to treat the applications traffic through associated security policies. owner: sjanita
View full article
sjanita ‎05-25-2009 03:09 AM
3,771 Views
0 Replies
1 Like