This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

App-ID Issues with Dropbox traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

App-ID Issues with Dropbox traffic

Go to solution
FarzanaMustafa
L4 Transporter

‎01-14-2019 05:54 PM

Hello,

 

We've got QoS setup on a PA-220 that classes any traffic marked with the dropbox App-ID. This class is then restricted to 2mbps. However we find that not all traffic generated by the Dropbox Sync client is marked as dropbox. Sometimes it's just ssl, sometimes its unknown-udp. Essentially we just want to restrict any Dropbox traffic to 2mbps through the Internet. 

How do we achieve this?

 

We are using Dropbox as an installed application (not from web browser).

SSL Decryption is not enabled.

The concerned policy has 'dropbox' application enabled with application-default.

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
gwesson
L7 Applicator
In response to BPry

‎01-15-2019 05:06 PM

@BPry I think the problem is that the Dropbox Sync client uses a pinned certificate, so it actually cannot be decrypted by the firewall. OP wants to 

 

You can apply QoS based on IP address, app, and service, but none of those are really distinguishable here. You may need to use something like MindMeld or otherwise create an External Dynamic List object and use that for the QoS rule.

View solution in original post

2 REPLIES 2

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-15-2019 07:41 AM

@FarzanaMustafa wrote:

 

SSL Decryption is not enabled. 

When you aren't decrypting traffic app-id is doing the best it can with the information it can see, which isn't much. So by its nature this means that application identification can be hit or miss. 

Go to solution
gwesson
L7 Applicator
In response to BPry

‎01-15-2019 05:06 PM

@BPry I think the problem is that the Dropbox Sync client uses a pinned certificate, so it actually cannot be decrypted by the firewall. OP wants to 

 

You can apply QoS based on IP address, app, and service, but none of those are really distinguishable here. You may need to use something like MindMeld or otherwise create an External Dynamic List object and use that for the QoS rule.

  • 1 accepted solution
  • 4592 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks