App-ID RPC Syntax

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

App-ID RPC Syntax

So trying to further classify RPC data as the correct type of RPC data based on program number (300029 in this case).  Not trying to re-invent the wheel though on how PA already correctly classifies it as RPC data, curious if there is a way in a custom App-ID to say something like "If known_existing_app AND XYZ then new_custom_app_ID", i.e. "If RPC and magic_bytes=300029 then Custom_App, not RPC".  The existing RPC detection does a better job than I can ever hope to manually recreate off the top of my head, woud like to reutilize it. [and if not a way to reference it, there a way to look at the actual signature so I could copy it]

Highlighted
L7 Applicator

When creating the custom app you can try setting the parent app to RPC, then look for the magic byte in the session/transaction.

That should allow most of the session to follow regular app-id into RPC and then only trigger the custom app once the magic byte shows up

 

 

regards

Tom

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L2 Linker

I was wondering if nesting worked like that, couldn't find any documentation on it.  Will give it a shot and get back to you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!