App-id Matching Process

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

App-id Matching Process

L0 Member

I'm running PA-VM and created with one active rule:

 

From: Inside

To: Outside

Application: Web Basic Application group (ssl,dns,web-browsing,ping)

Service: application-default

Action: Allow

SSL Decryption is disabled

 

 PA-Rules.png

 

I'm facing issues browsing to websites with preconfigured App-ids:

Not working:

linkedin/soundcloud/batte.net/docs.google.com(any other website specified app-id)

Working:

youtube/google(search-engine)

 

I'm running PA that doesn't have the google-base yet.

 

"During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0

1.)

I ran it in the Lab, and the results were different:

PC ---> TLS Client Hello(server-name=www.linked.com) ---> FW ---> Linkedin (Sent)

Linkedin ---> TLS Server Hello -- FW ----> DROPPED

Application is listed as linkedin-base with action Discard

 

Certificate from Linkedin is not sent until Linkedin recevices ACK on the TLS Server Hello.

Which i tested on a pc with direct internet access, this contradicts the post from Palo Alto Knowledge Base

linkedin-server-certificate.png

 

 

2.)

I tested HTTP & HTTPS to battle.net

 

Note: battle.net is redirect to blizzard.com

 

With HTTP:

- Dropped and classifed as battle.net in traffic monitor

- HTTP GET is dropped on the firewall side

- Classified as battle.net App-id

 

With HTTPS:

- Works succesfully and redirected

- Comman Name in the Certificate provided in Server Certificate is www.battle.net - This should be matched by the app-id engine but is listed as an SSL application

 

My question is, does it use certificate to match the app-id and/or HTTP Get?

 

 

How does the actual matching process work and why doesn't work the same across the board?

 

Software: 7.0.1

Application Version: 497-2688

 

Thanks guys

2 REPLIES 2

Cyber Elite
Cyber Elite

@zizo94,

There are multiple ways that encrypted traffic can still be identified via signatures that don't take into account the CN listed on the certificate. Additionally some app-ids don't take into account the CN of the certificate being exchanged in the handshake at all, and rely strickly on other means.

 

PS,

You are using an extremely outdated, and EOLd, version of PANOS and an extremely outdated content package. The signatures you are using are old enough that I wouldn't expect your traffic to be identifying as the proper app-id anymore with or without decryption. 

@BPry 

I upgraded the PA to version 9.0.1.

Now I can the see the added app-id for google-base.

 

Q:1

I'm still having the same issue, traffic is being blocked and not using the default web-browsing application.

It's identifying app-id traffic and being discarded, If I add the google-base into the application's inside the rule, it will work.

Is this normal behaviour from PA?

Screenshot from 2019-09-16 09-56-55.png

 

Q2:

As you mentioed there are multiple means of identifying traffic via signatures.

Can you share any documents that can provide me with ways.

 

Thanks

 

 

  • 4628 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!