Context for Custom AppID

Reply
Highlighted
L0 Member

Context for Custom AppID

I’m looking to create a custom AppID for our Softphones by PureCloud. In short, we are attempting to block the chat feature within the application. The application is web-browser based and encrypted, so we setup decryption for the traffic in the hopes we could enforce security policies on the decrypted traffic.

 

The decryption is working fine and I’ve been able to get some basic AppID’s created to recognize the traffic based on the FQDN. My goal is to create a custom AppID that goes deeper into the packet and matches on a pattern. So far, I’ve been unsuccessful. I’ve validated the parent app is “websocket” but have not been able to hit on a pattern match. I believe the issue I’m having is with the Context choice.

 

I opened a PAN support case and worked with a tech who was helpful but limited in support he could provide (best effort only.) I’ve searched through the Live Community Discussions related to AppID’s and didn’t hit on anything helpful so far. I’ve read pretty much anything and everything I could find online and in PAN’s knowledge base articles but have not found a solution.

 

I setup a decryption mirror port and captured some PureCloud traffic. I can provide a packet capture of the decrypted traffic for a short chat conversation. I was hoping someone could help me figure out the right Context to match patterns against or an alternative approach. Any help you could extend to me would be greatly appreciated.

 

I found both of these resources very helpful. I list them for others who might benefit from them.

 

Video - How To Configure A Custom App-Id
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmGCAS

PDF - Creating Custom Application And Threat Signatures
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0

 

Regards,
Rob

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!