APP ID impact

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

APP ID impact

L1 Bithead

Can some one answer this?

 

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by
App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which
will be deployed in 30 days. Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

 

App-ID 

1 accepted solution

Accepted Solutions

Hi @BNSRIKAR ,

 

Unfortunately I don't agree with @Adrian_Jensen  and I would go with anwser A

- I believe the confustion here is between "container app" and xxx-base app. What @Adrian_Jensen described is actually the definitiaon for container app - following link probably will explain it better than me - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltnCAC

 

- Take for example SMB (because facebook contain too many sub-apps).

Astardzhiev_0-1652128712850.png

As you can see there Palo Alto provide specific signature for each SMB version, so you can have more granula control and allow/deny specific version. If SMB version doesn't bothers you and you want to allow all versions you can simply add the container app - the parent from this three. As Adrian explained if you do that any future SMB version or app signature will be included in your policy automatically.

 

- Now lets focus on the xxx-base application - think about how firewall identify actuall application - first it needs to allow the TCP session to establish, then endpoints will start transfering some data, with each data firewall will gather more information, which is used to identify the actuall application. xxx-base application is used when Palo Alto can identify that traffic is associated with given application, but either not enough data is processed to identify the exact fucntion/feature, or just firewall doesn't have more specific app signature.

 

- Going back to the question form your exam prem - Firewall has signature for "supperApp-base", at this point any traffic and feature of this app is associated with -base app-id. At some point Palo Alto have created more specific signatures that allows you to identify specific features of this app, like chat and file download. Once the new content is installed on the firewall it will be able to identify each feature of this application, but this will also means that it will block that traffc - because your policy does not allow the new applications.

View solution in original post

3 REPLIES 3

L6 Presenter

You don't explicitly say, but I assume from your example "The company is currently using an application..." that the company has explicitly allowed "SuperApp_base" in a policy rule. Therefore, the answer would be closest (though not exactly) B.

 

App ID is normally updated automatically (and includes Threat ID which you would want to update frequently). The "_base" App ID is a superset category that includes underlying communication channels and subsets of specific features. So SuperApp_base would match SuperApp_chat, SuperApp_download, SuperApp_audio, SuperApp_video, and any other more specific application IDs. If you wanted to allow all SuperApp applications except for chat, you could do an allow rule for SuperApp_base** and a deny rule for SuperApp_chat.

 

** - If you already have a general allow rule for anything not explicitly denied, then you don't really need a SuperApp_base allow rule. Also, because of the mixed traffic nature in a "SuperApp" that does lots of different things in a common communication channel, but you want to block a only a specific subset, matching will never be 100% effective.

 

Application ID updates will never change your policy rules or add applications to a policy, though traffic that was at one time identified as application "A" may now be identified as "B" causing it to go thru a different policy. If you application was identified as "A_base" before the update and now is more specifically identified as "A_subset", then it will follow the "A_base" policy if there is not a more specific policy.

Hi @BNSRIKAR ,

 

Unfortunately I don't agree with @Adrian_Jensen  and I would go with anwser A

- I believe the confustion here is between "container app" and xxx-base app. What @Adrian_Jensen described is actually the definitiaon for container app - following link probably will explain it better than me - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltnCAC

 

- Take for example SMB (because facebook contain too many sub-apps).

Astardzhiev_0-1652128712850.png

As you can see there Palo Alto provide specific signature for each SMB version, so you can have more granula control and allow/deny specific version. If SMB version doesn't bothers you and you want to allow all versions you can simply add the container app - the parent from this three. As Adrian explained if you do that any future SMB version or app signature will be included in your policy automatically.

 

- Now lets focus on the xxx-base application - think about how firewall identify actuall application - first it needs to allow the TCP session to establish, then endpoints will start transfering some data, with each data firewall will gather more information, which is used to identify the actuall application. xxx-base application is used when Palo Alto can identify that traffic is associated with given application, but either not enough data is processed to identify the exact fucntion/feature, or just firewall doesn't have more specific app signature.

 

- Going back to the question form your exam prem - Firewall has signature for "supperApp-base", at this point any traffic and feature of this app is associated with -base app-id. At some point Palo Alto have created more specific signatures that allows you to identify specific features of this app, like chat and file download. Once the new content is installed on the firewall it will be able to identify each feature of this application, but this will also means that it will block that traffc - because your policy does not allow the new applications.

L6 Presenter

After looking at an app category while chasing a different problem this afternoon, I have to agree with @aleksandar.astardzhiev. I screwed up the earlier definition. SuperApp would be the superset category, SuperApp_base would be a subset that includes underlying communication and shared features. SuperApp_chat would be a subset of the chat features. If the chat feature was moved out of SuperApp_base to a new signature SuperApp_chat, then it would no longer match in the original rule explicitly allowing that.

  • 1 accepted solution
  • 3164 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!