Application overrides

cancel
Showing results for 
Search instead for 
Did you mean: 

Application overrides

L4 Transporter

Hi

 

So I ran ito the 150 application over rides limit.

 

At my location I have a lot of java app running, they normally provide a http interface a JMX and RMI and https interface. and when you have 15 -20 of these that suchs up a lot of application override

 

I don't want the PA's inspecting the flows.

 

First I tried creating my custom application and provided the ports. But cause it is HTTP traffic the PA;s would classify it as web-browsing.  I don't want this. So I found the only way to over ride this was to use applicaiton overrides.

 

So for auditing I created an application over ride for each port and application......

 

Now I am stuck ... added my 151 applicaiton override in panorama and tried to push out and it failed ...

 

Now I am rethinking.  Currenty thinking I might group my applicaiton overrides.  For example all the applicaitons have a http port and typically a RMI and JMX port.  I thought I could have a generic JMX port over ride and lump in all the port numbers in the application override object.

 

then my next tricky thing was create a custom applicaiton say JMX port and sub applications say JMX app1, JMX app2.

 

So applicaiton override would say applicaiton override is JMX and hopefully because jmx has children custom apps called jmx app1 and jmxapp2 it will pick them based upon the port number .

 

 

 

Or  is there any other way of doing this ??

 

is there a way to force my custom applicataions to have higher priority over the inbuild ones - especially web browser

 

 

 

 

 

1 REPLY 1

Cyber Elite
Cyber Elite

AppID will always try to identify the most accurate definition of an application

 

so if you write a custom app that triggers on a signature, the custom app should be triggered

if you can only provide some ports and the application behaves like web-browsing, web-browsing will be more accurate

 

the 'other' way is to use app override

 

why don't you want the PA's to inspect the flow? if you're accidentally hitting vulnerabilities, you can create override (in the threat/av/as), if AppID is the issue you can set up packetcapture and write signatures to properly identify the custom apps and no longer have the override issue

 

here's an artiicle that may help

Getting Started: Custom applications and app override

Tom Piens
PANgurus
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!