06-16-2011 10:30 AM
Good afternoon.
A considerable amount of traffic to/from our Akamai servers is not recognized by our PA-4060s running v3.1.9. We would like to create a custom App-ID signature that would identify all traffic to/from our Akamai servers (based on /28 subnet) as: SU Akamai.
Source: akamai-11-053.syr.edu (here we’ll use 128.230.11.48/28)
Destination: a72-247-124-182.deploy.akamaitechnologies.com
From Port: 12347
To Port: 65453
Protocol: udp
Application: insufficient-data
Action: allow
Rule: permit datacenter to all
Would appreciate any tips for creating custom App-ID signatures!
Thank you!
Respectfully,
Peter Rounds
06-16-2011 03:45 PM
Peter,
Have you considered using Application Override? This is the simplest solution if you can define an application based on IP address and port number. If you truely require a signature you will need sniffer captures and some evaluation of the first few packets. If you are lucky you will see some string like "User Agent = NMAP" and use this as your identifier. Some applications will be moredifficult to identify. You will not know until you look as the captures.
Your last option isto ask Paloalto to create a new Application and submit the request to....
http://www.paloaltonetworks.com/researchcenter/submit-an-application/
Steve Krall
06-17-2011 07:32 AM
Thanks Steve!
Does application override cause traffic that is "overrided" to disappear from monitoring?
Respectfully,
Peter ...
06-17-2011 10:07 AM
No. Override has 2 steps.
1) Create a simple Application identified simply by dest port or protocol.
2) Create an App Override rule that defines zones and IPs and Port and then the "Name" of the application that this traffic should receive.
And traffic conforming to the AppOR rule that you defined in step 2 gets classified/Named the Application you created in step 1.
App OR is typically used for the following reasons.
1) Assign an app name to some custom/home grown application or tcp/udp Unknown traffic that Paloalto is detecting.
2) Turn off deep packet inspection for performance reasons.
3) Testing to verify that Deep Packet inspection is not the reason for some performance problems
One common example is SIP. SIP phones put the IP address of the phone in the Payload. SIP gateways like the Paloalto, when doing NAT, should change the source IP address in the IP header and should modify the IP address in the payload. Sometimes the modification done by the SIP gateway are incompatible with the requirements of the PBX. By creating an App OR for Port 5060 we turn off the deep packet inspection and modification and only do NAT. This is a common workaround for SIP issues using AppOR.
SK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
