12-08-2015 03:29 PM
Hi all,
I started studying PA firewall recently and am struggling with finding out the APP-ID for some traffic. I can easily find out the services(or ports for CISCO ASA) and create the rules based on services/ports, but by doing this we will lose the visibility of application which is the reason we use PA in the first place.
So, use as much APP-ID as possible other than service/port will be very important. Ok, my question is, how can I find out the APP-id that I should use? As a network engineer, it's very challenging for me to get familiar with all the applications.
Anyone can give me some advices? Thanks a lot.
Patrick
12-08-2015 03:36 PM
Probably the easiest way to leverage App-ID while not knowing every single app is to use the Objects > Application Filters area to create collections of apps that you want to use. You can set up your policies to use those instead of individual apps, and still leverage the app-id database.
You can create a pretty complex set of app filters this way, so it can be as specific or generic as you want.
Beyond that, you can use port-based rules initially, and then over time you'll be able to see the apps used in your traffic logs. Then you can start creating app-based policies above the port-based policies, eventually phasing out the port-based ones as your app-based rules become more robust.
-Greg
12-08-2015 03:36 PM
Probably the easiest way to leverage App-ID while not knowing every single app is to use the Objects > Application Filters area to create collections of apps that you want to use. You can set up your policies to use those instead of individual apps, and still leverage the app-id database.
You can create a pretty complex set of app filters this way, so it can be as specific or generic as you want.
Beyond that, you can use port-based rules initially, and then over time you'll be able to see the apps used in your traffic logs. Then you can start creating app-based policies above the port-based policies, eventually phasing out the port-based ones as your app-based rules become more robust.
-Greg
12-08-2015 04:02 PM
Hi Greg,
Yes, you are right, the logs are telling me the APP-ID, even I haven't configured it. Thank you very much!
Cheers,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
