Custom APP-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom APP-ID

L1 Bithead

I have deployed a new application on our network and found that this application has some communications that take place on TCP-2000. Noramlly this port is used by cisco-sccp. The data that is being passed is not a normal "cisco-sccp" protocal traffic, and thus my PA-400 is not permitting the traffic to pass through it. I have started writting a custom APP-ID for this traffic. I have defined on the Configuration tab a Name, Category, Subcatigory, Technology, Sub-App, and Risk. On the Advance Tab I have defined that this traffic is on port TCP-200. I have comitted this to the router, but it is still not correctly identifying this traffic. So I have gone in and tried to write a custom signature for this traffic. Reading though your documentation the only signature that I can use is "unknown-rsp-tcp-payload". The problem is the payload is only one byte in size. According to my pcap, the 1 byte payload is e4. I have written a regex of [a-f]|[A-F][0-9]. the problem is that when I go to save this, the PA-software errors out as my signature does not meet the 7 bytes minume.

How can i write a rule that is 7 bytes in length, when the payload I am trying to match is only 1 byte in length. The host that is sending me this traffic I can fully trust, so if there is a way to tell the PA permit all traffic from this host, tat would be great, but from my reading this is not possible as the PA is application firewall not port based.

I need to allow this traffic to pass. I have a pcap that I can post your your review showing this payload and headers.

3 REPLIES 3

L7 Applicator

You can create a port-based security policy.  Use "any" for the Application, and then create a Service object called "tcp-2000":

I already have a security policy defined for this host. The rule identifies the source IP address and the destination zones. It is presently set to allow any service and any application. According the the traffic log this traffic is being allowed, but talking with the vender, the data is being manipulated by the firewall, and is the reason that the application is not working correctly.

In such situation You can  use app-overvrite policy. Pleasy try with it.

Regards

Slawek

  • 2365 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!