This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Custom APP-ID

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom APP-ID

SouthernCoos
L0 Member

‎05-01-2014 06:00 PM

I have deployed a new application on our network and found that this application has some communications that take place on TCP-2000. Noramlly this port is used by cisco-sccp. The data that is being passed is not a normal "cisco-sccp" protocal traffic, and thus my PA-400 is not permitting the traffic to pass through it. I have started writting a custom APP-ID for this traffic. I have defined on the Configuration tab a Name, Category, Subcatigory, Technology, Sub-App, and Risk. On the Advance Tab I have defined that this traffic is on port TCP-200. I have comitted this to the router, but it is still not correctly identifying this traffic. So I have gone in and tried to write a custom signature for this traffic. Reading though your documentation the only signature that I can use is "unknown-rsp-tcp-payload". The problem is the payload is only one byte in size. According to my pcap, the 1 byte payload is e4. I have written a regex of [a-f]|[A-F][0-9]. the problem is that when I go to save this, the PA-software errors out as my signature does not meet the 7 bytes minume.

How can i write a rule that is 7 bytes in length, when the payload I am trying to match is only 1 byte in length. The host that is sending me this traffic I can fully trust, so if there is a way to tell the PA permit all traffic from this host, tat would be great, but from my reading this is not possible as the PA is application firewall not port based.

I need to allow this traffic to pass. I have a pcap that I can post your your review showing this payload and headers.

2 people had this problem.
0 Likes Likes
3 REPLIES 3

jvalentine
L7 Applicator

‎05-02-2014 07:51 AM

You can create a port-based security policy.  Use "any" for the Application, and then create a Service object called "tcp-2000":

0 Likes Likes

SouthernCoos
L0 Member
In response to jvalentine

‎05-04-2014 01:56 AM

I already have a security policy defined for this host. The rule identifies the source IP address and the destination zones. It is presently set to allow any service and any application. According the the traffic log this traffic is being allowed, but talking with the vender, the data is being manipulated by the firewall, and is the reason that the application is not working correctly.

0 Likes Likes

_slv_
L4 Transporter
In response to SouthernCoos

‎05-04-2014 02:33 AM

In such situation You can  use app-overvrite policy. Pleasy try with it.

Regards

Slawek

0 Likes Likes
  • 2807 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks