App-id Adoption & App-id Reconciliation

Reply
Highlighted
L2 Linker

App-id Adoption & App-id Reconciliation

Hi guys,

I'm using the FW-logs in order to transform the security policies from legacy services towards app-id.

ML logs are onto the system etc.

Analysing rules via: R-click / App-id adoption / retrieve app (slow-fast) works fine.

Fi. Apps Splunk, ms-kms are detected.

When I convert the rule using "App-ID reconciliation / recommended", the service is converted to the detected app-id as-is.

However application dependencies are not taken into account?

fi. Splunk depends on web-browing, sms-kms depends on msrpc-base. This is leading to non-working policies.

 

I'm using Expedition: 1.1.42 (VM) and 1.1.46.1 (Physical server) both have the same behavior, while I believe this used to work in previous versions?

 

Thanks a lot,

Filip Elsen

 


Accepted Solutions
Highlighted
L5 Sessionator

Re: App-id Adoption & App-id Reconciliation

Thanks for pointing out that the recommended dependencies were missing in the contextual menu

View solution in original post


All Replies
Highlighted
L2 Linker

Re: App-id Adoption & App-id Reconciliation

any news on this?

Am I the only one using or experiencing this issue?

... in the meantime I'm running 1.1.53 with the same issue.

 

Thanks,

Filip

Highlighted
L2 Linker

Re: App-id Adoption & App-id Reconciliation

A related rule: were app-id adoption is performed

appid_log.PNG

Next: app-id reconciliation:

appid_recon.png

resulting in following app-id adopted:

appid_after_recon.png

But it doesn't take into account dependencies:

dependencies.PNG

 

As a result the connectivity would break, impact could be generated etc.

Does anyone has this issue?

 

Thanks,

Filip

 

Highlighted
L5 Sessionator

Re: App-id Adoption & App-id Reconciliation

Would it be possible to share the project with fwmigrate at paloaltnetworks dot com via Project->Settings->Export?

I would like to check if the issue is related to the application database being used in your project, what may not be up-to-date and does not know about the dependencies, or if it is actually an issue related to the code that fails to include the dependencies as well.

 

Let us know via email, and we will update the results here later on

Highlighted
L2 Linker

Re: App-id Adoption & App-id Reconciliation

Hi Didac,

Thanks for the feedback.

Mail sent with all details as requested.

 

Best regards,

Filip Elsen

Highlighted

Re: App-id Adoption & App-id Reconciliation

Hi, thanks for updating Expedition.

As shown below, the issue is resolved!!

 

appid_machine-learning.jpg

Highlighted
L5 Sessionator

Re: App-id Adoption & App-id Reconciliation

Thanks for pointing out that the recommended dependencies were missing in the contextual menu

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!