This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

gotoassist application recognition

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

gotoassist application recognition

dieter_b
L4 Transporter

‎12-19-2013 08:22 AM

Is anyone else having issues with PA not recognizing gotoassist very well ?

Citrix documentation expects you to open tons of DNS addresses and/or IP ranges, but I'm a bit wary of opening ALL traffic on ports 80 and 443 to these (most IP ranges are on Amazon btw) since we're heavily relying on application identification.

Labels:
0 Likes Likes
4 REPLIES 4

Phoenix
L4 Transporter

‎12-19-2013 08:39 AM

Hello Dieterb,

Citrix software gotoassist works on the ports 80/443. If the services are made "App default" it uses the ports needed to have the gotoassist traffic allowed. Now in the apps column since we have added gotoassist it looks for signature pattern of gotoassit with combination of ports needed. If this combination matches only then traffic is allowed. If just ports match and signature pattern is not allowed the traffic should not be permitted.

Thanks

dieter_b
L4 Transporter
In response to Phoenix

‎12-19-2013 08:57 AM

That's indeed how our rules are setup:

We use an application group to allow several remote support applications, service application-default

For these applications, no user-id required (user: any)

from zone trust to zone untrust

Basic security profile applied, but that should not block legitimate traffic (will check in threat log)

What I do notice, is some traffic gets recognized as citrix-jedi and gotomeeting, those are very similar to gotomeeting. And they are allowed too.

Threre's really no clear line to draw. It's one of those apps that use generic ports randomly, to many different ip's randomly ...

0 Likes Likes

Phoenix
L4 Transporter
In response to dieter_b

‎12-19-2013 10:01 AM

Hello dieterb,

Yes it may be possible sometimes to see the apps as citrix-jedi and gotomeeting and so on. Sometimes when the software product change a certain behavior for gotoassist in this case, if it is not updated on PAN app signature we may see such issues. And also all of these belong to same parent company there may be overlaps as seen below.

goto-.PNG.png

In such cases, where config looks like gotoassist is allowed but citrix-jedi app is not allowed then while passing traffic if we see some part of gotoassist identified as citrix-jedi and it is getting rejected then we may experience traffic drops..to avoid such issues we may have to open a case to correct the app signature database.

dieter_b
L4 Transporter
In response to Phoenix

‎12-20-2013 02:41 AM

I've put all similar citrix application and even more in the allow policy, but still no go.

I'll probably have to allow services http and https. But I'll try to limit the domains and/or ip's that are actually used (not the entire list of all Citrix SaaS products).

Not sure if PA can do anything about it in the application definitions...

0 Likes Likes
  • 3130 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks