APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
fhu_omi
L3 Networker

APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

Hi There,

 

I didn't find a real answer for the question, if its nessessary to add "Depends On" Apps in the SAME security rule or is it also possible to add this in the security rules before?

 

Example for specific app and all "Depends on" in have to be in the same security rule:

 

And in the other side: Not nessessary or recommendet in the same rule:

Because of these contradictory statements and the real experiment I am now very confused.

 

If it is possible to seperate depends on Apps in a rule before as the target App with this dependencies, like my setup. Then is it that the prove that not first rule matches!

 

i hope somebody can help

 

Kind regards

Fabio

Tags (1)
BPry
Cyber Elite

@fhu_omi,

You can absolutely separate these out without any issue, as long as the depends on app-ids are allowed somewhere in the rulebase it'll work perfectly fine.

So if you take a look at youtube-streaming for example, it depends on youtube-base. You don't need to include youtube-streaming and youtube-base in the same rulebase entry, and you can separate them into two separate entries and it would work perfectly fine. As soon as the traffic is identified under the new app-id, the firewall will re-scan the security rulebase and match to whatever rulebase entry you have associated with the traffic. 

reaper
L7 Applicator

i concur with @BPry : you don't need to have dependencies in the same rule. I do want to zoom in on your last paragraph to hopefull ylft some more of the condfusion surrounding this topic:

 

"If it is possible to seperate depends on Apps in a rule before as the target App with this dependencies, like my setup. Then is it that the prove that not first rule matches!"

 

for every session the rulebase will actually evaluate the security rulebase multiple times:

 

1. when  a SYN packet comes in, only the 6-tuple is available (srcIP,srcZone,dstIP,dstZone,dstPort,Proto) so the apps in rules will be ignored to find a matching rule

2. when the initial app is detected, the rulebase will again be evaluated to see if a rule is found that matches the app (this is where web-browsing, ssl etc are detected as we're only 4-6 packets into a session)

3. as the session passes more packets, the 'app' will start to transmit more payload that can be identified as something more specific, so this could be one of the app-base applications, so the firewall checks if that app matches a rule

4. with even more payload being transferred, an even more specific app can be detected. This is where the apps live that are dependent on a more generic 'parent' app, because it takes so many packets before it can be properly identified. At this stage another rulebase evaluation takes place, so this app can actually sit in a different rule than the above 'parents'

 

 

hope this helps

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
fhu_omi
L3 Networker

Hi @reaper and @BPry ,

 

Ok that makes absolutly sense, thank you very much.

But what happens if i add in every security rule, the desired APPID and the "Parent APPIDs". For example, two seperate security rules with different AppIDs, like 1. pastebin and 2. github, but both have the ssl, web-browsing as depend on (this is only en example, one of them implicity use ssl). If i add ssl and web-browsing in every rule, but with different URL Filters, because i have to restrict in both rules different SubUrlPaths. How is handling this the firewall?

 

Is there an advantage or disadvantage, if i seperate depends on AppIDs in seperate security rules?

 

Because a ruleset should be readable, i think an order is good, if i alway need to search where i allow an AppID, then its difficult to read the ruleset. But i don't know if its a bad idee to build up the ruleset with needed depends on AppIDs first in the rulest and then i go more and more sepcific to the desired AppIDs. The rest of the ruleset is like first rule match, from spesific first to more and more general at the end. Now with AppID is this in my point of view the oppsit and i have to combine both methods.

 

Kind regards

Fabio

BPry
Cyber Elite

@fhu_omi,

The traffic is going to match the first entry that matches the traffic pattern. 

 

1) If you included ssl and web-browsing in every rule without a URL Category or restricted destination configured, traffic is simply going to match to the first rulebase entry.

2) When you use a URL Category to restrict the traffic, the first rule to do so is going to allow all traffic until the URL can be identified. At that time, the firewall would re-analyze the rulebase and match to the proper rule. 

 

Is there an advantage or disadvantage, if i seperate depends on AppIDs in seperate security rules?

This is just a management/operation decision. I like to create a general internet browsing policy that includes ssl and web-browsing, and then create more specific allowed application entries above that. 

fhu_omi
L3 Networker

@BPry 

 

Thanks for your answer, that is helping.

 

This is just a management/operation decision. I like to create a general internet browsing policy that includes ssl and web-browsing, and then create more specific allowed application entries above that. 

If you write "above" then you have the general internet browsing poilcy in the end of the ruleset? Ok, as you said, the position is not relevant with APP ID, only if you have other restriction of the tuple 6 criterias or URL matching criteria. If i understand the flow correct.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!