This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Behaviour app override

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Behaviour app override

soporteseguridad
L4 Transporter

‎06-01-2016 11:36 AM - edited ‎06-01-2016 11:39 AM

Hi, we are having an issue using app override. 

 

1) We have created a custom app for Oracle (without timeout). Using these ports: tcp1521-1541.

This is the config

App customized.jpg

 

This is the app override policy:

appoverride.jpg

 

This is the security policy (app any and ports involved in this app 1533 and 60xxx):

reglaaplica.jpg

 

Service profile for ports open in this ORACLE connection (1023-65535)

 

ports high.jpg

 

 

After doing all these changes, the Oracle (custom app) connections stopped working so we check the monitor traffic logs and we saw this:

 

monitor problems.jpg

Well, we decided to configure a source filter in our app override policy, in order not matching "app override" policy with any.

 

appoverridebien.jpg

After doing that we realised that these Oracle connections open another ports in range 606xx, but using app override these others ports didnt appear.

 

monitorbien.jpg

 

 

In the this screenshot we can see what monitor shows using app_overrise and Oracle default. Using our custom app (Iracle_1521_1541) is taking the connection in ports 1533 fine but not another ports are appearing so its not working fine.

At 13:17:00 we disabled app override policy and it started working.

So its like using app override for this custom app, if another ports in the connections are used its not working.

 

global.jpg

 

Why using our custom app we cant see the ports open over this Oracle_custom connection?? How could we solve this??? 

 

 

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎06-02-2016 12:49 AM

hi

 

looks like your oracle deployment may have been customized somehow to use other ports than expected

can you try this: set the custom app with 'parent app' oracle, set the ports to tcp/dynamic and disable app override:

 

2016-06-02_09-48-44.jpg

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

soporteseguridad
L4 Transporter
In response to reaper

‎06-02-2016 03:26 AM - edited ‎06-02-2016 03:37 AM

But if i disable "app override", the custom app will not applied, right??

With app override policy i say what source/destination range will ovewrite the app.

 

should i configure the ports in app like this??:

 

Capturauna.JPG

 

All the previous changes will affect to another apps??? 

 

thanks a lot reaper.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to soporteseguridad

‎06-02-2016 04:33 AM

app override is not required if you only want to identify an application differently.

 

App override forces AppID to not inspect certain sessions and instead acts as a stateful firewall. it disabled AppID

 

a custom app without override let's AppID do it's job of inspecting the session and you tell it to identify an application differently. since oracle is set as parent app, it should only apply to sessions identified as oracle

 

 

usually your method should work just fine, but the fact that it doesn't and without the override it starts using different ports may mean your deployment may be somewhat special and the heavy handed approach with app override might break something

 

i'd start with only tcp/dynamic, once you get it to work you can tone that down to the actual set of ports you would like to use (you could also add the tcp/606** instead of dynamic if you prefer)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 1865 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks