Is it possible to use simple IPv4 flag info as match criteria for App-ID signatures? I'm looking for something simple such as matching source IP, destination IP and destination port. I'm not having any luck finding patterns in the data to use and I really need an App-ID to adjust TCP time out values.
This is to accomidate poorly designed medical equipment that needs to be protected but does not function correctly behind my firewall.
Any advice is much appreciated.
Not sure if you've addressed your issue.
Recently I've ran into a similar situation where a vendor's software does not addresses the TCP timeout properly, which I had to create an customized AppID for it in order to customize the TCP timeout values for that particular traffic.
Here's what I did:
- Navigate to Objects --> Applications --> Add
- Configuration Tab:
- Name: Name your AppID
- Description: Some documentation about this AppID
- Category: business-systems
- Subcategory: office-programs
- Technology: client-server
- Parent App: None
- Risk: 1
- Advanced Tab:
- Defaults: Port
- Port: port(s) or your application uses
- Timeouts --> TCP Timeout: <tcp timeout value>
- Policies --> Application Override --> Add
- Enter the basics of the traffics flows for the application override policy.
- Src Zone
- Src Address
- Dst Zone
- Dst Address
- Application: <your custom AppID name>
I learned that the Application Override policy is the policy that will POINT the matched traffic pattern to a specific AppID (custom or OOB)
Hope this helps or at least shine a light to your problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!