gotoassist application recognition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

gotoassist application recognition

L4 Transporter

Is anyone else having issues with PA not recognizing gotoassist very well ?

Citrix documentation expects you to open tons of DNS addresses and/or IP ranges, but I'm a bit wary of opening ALL traffic on ports 80 and 443 to these (most IP ranges are on Amazon btw) since we're heavily relying on application identification.

4 REPLIES 4

L4 Transporter

Hello Dieterb,

Citrix software gotoassist works on the ports 80/443. If the services are made "App default" it uses the ports needed to have the gotoassist traffic allowed. Now in the apps column since we have added gotoassist it looks for signature pattern of gotoassit with combination of ports needed. If this combination matches only then traffic is allowed. If just ports match and signature pattern is not allowed the traffic should not be permitted.

Thanks

That's indeed how our rules are setup:

We use an application group to allow several remote support applications, service application-default

For these applications, no user-id required (user: any)

from zone trust to zone untrust

Basic security profile applied, but that should not block legitimate traffic (will check in threat log)

What I do notice, is some traffic gets recognized as citrix-jedi and gotomeeting, those are very similar to gotomeeting. And they are allowed too.

Threre's really no clear line to draw. It's one of those apps that use generic ports randomly, to many different ip's randomly ...

Hello dieterb,

Yes it may be possible sometimes to see the apps as citrix-jedi and gotomeeting and so on. Sometimes when the software product change a certain behavior for gotoassist in this case, if it is not updated on PAN app signature we may see such issues. And also all of these belong to same parent company there may be overlaps as seen below.

goto-.PNG.png

In such cases, where config looks like gotoassist is allowed but citrix-jedi app is not allowed then while passing traffic if we see some part of gotoassist identified as citrix-jedi and it is getting rejected then we may experience traffic drops..to avoid such issues we may have to open a case to correct the app signature database.

I've put all similar citrix application and even more in the allow policy, but still no go.

I'll probably have to allow services http and https. But I'll try to limit the domains and/or ip's that are actually used (not the entire list of all Citrix SaaS products).

Not sure if PA can do anything about it in the application definitions...

  • 3213 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!