This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Application overrides

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Application overrides

Alex_Samad
L4 Transporter

‎06-20-2017 05:13 PM

Hi

 

So I ran ito the 150 application over rides limit.

 

At my location I have a lot of java app running, they normally provide a http interface a JMX and RMI and https interface. and when you have 15 -20 of these that suchs up a lot of application override

 

I don't want the PA's inspecting the flows.

 

First I tried creating my custom application and provided the ports. But cause it is HTTP traffic the PA;s would classify it as web-browsing.  I don't want this. So I found the only way to over ride this was to use applicaiton overrides.

 

So for auditing I created an application over ride for each port and application......

 

Now I am stuck ... added my 151 applicaiton override in panorama and tried to push out and it failed ...

 

Now I am rethinking.  Currenty thinking I might group my applicaiton overrides.  For example all the applicaitons have a http port and typically a RMI and JMX port.  I thought I could have a generic JMX port over ride and lump in all the port numbers in the application override object.

 

then my next tricky thing was create a custom applicaiton say JMX port and sub applications say JMX app1, JMX app2.

 

So applicaiton override would say applicaiton override is JMX and hopefully because jmx has children custom apps called jmx app1 and jmxapp2 it will pick them based upon the port number .

 

 

 

Or  is there any other way of doing this ??

 

is there a way to force my custom applicataions to have higher priority over the inbuild ones - especially web browser

 

 

 

 

 

0 Likes Likes
1 REPLY 1

reaper
Cyber Elite
Cyber Elite

‎06-21-2017 12:39 AM

AppID will always try to identify the most accurate definition of an application

 

so if you write a custom app that triggers on a signature, the custom app should be triggered

if you can only provide some ports and the application behaves like web-browsing, web-browsing will be more accurate

 

the 'other' way is to use app override

 

why don't you want the PA's to inspect the flow? if you're accidentally hitting vulnerabilities, you can create override (in the threat/av/as), if AppID is the issue you can set up packetcapture and write signatures to properly identify the custom apps and no longer have the override issue

 

here's an artiicle that may help

Getting Started: Custom applications and app override

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1622 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks