This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Create custom App-ID signature for specific unknown traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Create custom App-ID signature for specific unknown traffic

phrounds
Not applicable

‎06-16-2011 10:30 AM

Good afternoon.

A considerable amount of traffic to/from our Akamai servers is not recognized by our PA-4060s running v3.1.9. We would like to create a custom App-ID signature that would identify all traffic to/from our Akamai servers (based on /28 subnet) as: SU Akamai.

Source:      akamai-11-053.syr.edu (here we’ll use 128.230.11.48/28)
Destination: a72-247-124-182.deploy.akamaitechnologies.com
From Port:   12347
To Port:     65453
Protocol:    udp
Application: insufficient-data
Action:      allow
Rule:        permit datacenter to all

Would appreciate any tips for creating custom App-ID signatures!

Thank you!

Respectfully,

Peter Rounds

0 Likes Likes
3 REPLIES 3

skrall
L4 Transporter

‎06-16-2011 03:45 PM

Peter,

Have you considered using Application Override? This is the simplest solution if you can define an application based on IP address and port number.  If you truely require a signature you will need sniffer captures and some evaluation of the first few packets. If you are lucky you will see some string like "User Agent = NMAP"  and use this as your identifier. Some applications will be moredifficult to identify. You will not know until you look as the captures.

Your last option isto ask Paloalto to create a new Application and submit the request to....

http://www.paloaltonetworks.com/researchcenter/submit-an-application/

Steve Krall

phrounds
Not applicable
In response to skrall

‎06-17-2011 07:32 AM

Thanks Steve!

Does application override cause traffic that is "overrided" to disappear from monitoring?

Respectfully,

Peter ...

0 Likes Likes

skrall
L4 Transporter
In response to phrounds

‎06-17-2011 10:07 AM

No. Override has 2 steps.

1) Create a simple Application identified simply by dest port or protocol.

2) Create an App Override rule that defines zones and IPs  and Port and then the "Name" of  the application that this traffic should receive.

And traffic conforming to the AppOR rule that you defined in step 2 gets classified/Named the Application you created in step 1.

App OR is typically used for the following reasons.

1) Assign an app name to some custom/home grown application or tcp/udp Unknown traffic that Paloalto is detecting.

2) Turn off deep packet inspection for performance reasons.

3) Testing to verify that Deep Packet inspection is not the reason for some performance problems

One common example is SIP.  SIP phones put the IP address of the phone in the Payload.  SIP gateways like the Paloalto, when doing NAT, should change the source IP address in the IP header and should modify the IP address in the payload. Sometimes the modification done by the SIP gateway are incompatible with the requirements of the PBX. By creating an App OR for Port 5060 we turn off the deep packet inspection and modification and only do NAT. This is a common workaround for SIP issues using AppOR.

SK

  • 2994 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks