This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can I create custom application with destination IP and TCP/UDP port?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can I create custom application with destination IP and TCP/UDP port?

Go to solution
KiCheon.Lee
L4 Transporter

‎01-03-2014 01:41 AM

Hello,

I know that FW can control application correctly when has L7 signature.

But my customer want to create application signature more simple and easy for internal trust server.

For example, There is 192.168.1.1 web-server. He want to create app "our-web-server" for destination IP and port are 192.168.1.1:80.

Can FW be available?

Thanks.

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
kprakash
L5 Sessionator

‎01-03-2014 05:25 AM

Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow,  Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).

The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.

Hope that helps!

Best regards,

Karthik

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
kprakash
L5 Sessionator

‎01-03-2014 05:25 AM

Signatures are Layer 7 attributes, and addresses are layer 3 attributes. As per the PANFW session flow,  Layer 3 and layer 4 ( port number) checks are performed first before the actual layer 7 checks ( which happens on a different hardware chip, depending on the platform ). Hence you cannot club addresses into the signature. We can configure security polices, or application override policies to control traffic for a specific IP address along with the application ( built in or custom ).

The best bet would be to create a custom application. Name it as "our-web-server" for better understanding. Use it in a rule "Our-web-server-rule", and include the IP address and the custom application under it.

Hope that helps!

Best regards,

Karthik

0 Likes Likes

Go to solution
Phoenix
L4 Transporter
In response to kprakash

‎01-03-2014 07:59 AM

Hello Cheon,

For your requirement to make a simple and new app to find if this is your web-server traffic yes we can do. Create a new APP with the required destination  tcp/udp port. Assign this new app in the Application override rule where we provide the source and destination IPs.

By doing so for any further traffic matching the IP's and ports in the App the traffic would match the application override rule and the sessions would show the new app. ( considering the old sessions are timed out, if not we can clear the old ones )

The prior update by kprakash was to intend that the IPs cannot be added in a signature pattern as such.

Hope this helps !

Go to solution
skrall
L4 Transporter

‎01-04-2014 06:25 PM

Have you looked at the Applocation Override feature in the Policies Tab?  What you have described sounds like a perfect match.

SKrall

Go to solution
KiCheon.Lee
L4 Transporter
In response to skrall

‎01-06-2014 08:45 PM

Thank you very much Karthik , Phoenix and skrall.

I knew that all traffic for some tcp/udp port(tcp/80) will be port base custom application(our-web-server) when create port base custom application without application-override.

I have tested and seen that port base custom application without override is not generated application in traffic log.

The port base custom application with override is generated application is traffic log.

I got it. As Karthik mentioned, L3&L4 check and L7 check are probably different hardware chip.

Where is the application signature? in signature math hw engine? or in security process?

Good luck.

0 Likes Likes

Go to solution
Gregoux
L4 Transporter
In response to KiCheon.Lee

‎01-07-2014 05:24 AM

why don't you try a custom application base on the host header value as signature?

Capture.PNG.png

0 Likes Likes

Go to solution
kprakash
L5 Sessionator
In response to KiCheon.Lee

‎01-07-2014 08:21 AM

The Signature matching is done on a different chip or performed on a software thread depending on the platforms. The security policy check for the traffic happens prior to the signature check, and its performed on another chip ( octeon ), before the traffic is fed to the signature matching engine ( chip ) 

  • 1 accepted solution
  • 6566 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks