Create custom App-ID signature for specific unknown traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create custom App-ID signature for specific unknown traffic

Not applicable

Good afternoon.

A considerable amount of traffic to/from our Akamai servers is not recognized by our PA-4060s running v3.1.9. We would like to create a custom App-ID signature that would identify all traffic to/from our Akamai servers (based on /28 subnet) as: SU Akamai.

Source:      akamai-11-053.syr.edu (here we’ll use 128.230.11.48/28)
Destination: a72-247-124-182.deploy.akamaitechnologies.com
From Port:   12347
To Port:     65453
Protocol:    udp
Application: insufficient-data
Action:      allow
Rule:        permit datacenter to all

Would appreciate any tips for creating custom App-ID signatures!

Thank you!

Respectfully,

Peter Rounds

3 REPLIES 3

L4 Transporter

Peter,

Have you considered using Application Override? This is the simplest solution if you can define an application based on IP address and port number.  If you truely require a signature you will need sniffer captures and some evaluation of the first few packets. If you are lucky you will see some string like "User Agent = NMAP"  and use this as your identifier. Some applications will be moredifficult to identify. You will not know until you look as the captures.

Your last option isto ask Paloalto to create a new Application and submit the request to....

http://www.paloaltonetworks.com/researchcenter/submit-an-application/

Steve Krall

Thanks Steve!

Does application override cause traffic that is "overrided" to disappear from monitoring?

Respectfully,

Peter ...

No. Override has 2 steps.

1) Create a simple Application identified simply by dest port or protocol.

2) Create an App Override rule that defines zones and IPs  and Port and then the "Name" of  the application that this traffic should receive.

And traffic conforming to the AppOR rule that you defined in step 2 gets classified/Named the Application you created in step 1.

App OR is typically used for the following reasons.

1) Assign an app name to some custom/home grown application or tcp/udp Unknown traffic that Paloalto is detecting.

2) Turn off deep packet inspection for performance reasons.

3) Testing to verify that Deep Packet inspection is not the reason for some performance problems

One common example is SIP.  SIP phones put the IP address of the phone in the Payload.  SIP gateways like the Paloalto, when doing NAT, should change the source IP address in the IP header and should modify the IP address in the payload. Sometimes the modification done by the SIP gateway are incompatible with the requirements of the PBX. By creating an App OR for Port 5060 we turn off the deep packet inspection and modification and only do NAT. This is a common workaround for SIP issues using AppOR.

SK

  • 3417 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!