05-08-2012 09:28 AM
Hello,
Downloader apps aren't using any specific protocols : they download files over HTTP or FTP, so creating an application is hard/non-revelant to the definition of an application as they are used in PA.
05-07-2012 01:35 PM
Hi Alex,
Do you mean downloading the installer or the downloads managed by jdownloader.?
If you want ot manage downloading the installer, it should be an exe file , which you can handle through File blocking profiles and set appropriate actions and applying to specific rules.
We currently do not have the jdownloader as an application in our App database.
Regards,
Parth
05-07-2012 06:32 PM
Hi Parth,
I most definitely mean the downloads handled by Jdownloader. Would this require a new application signature in Applipedia to be managed?
Thanks,
Alex
05-07-2012 11:49 PM
Unless you create a custom app on your own you can request app enhancement from the Apps and Threats Research Center.
http://www.paloaltonetworks.com/researchcenter/tools/
From there you can click on Submit an app and provide details there.
05-08-2012 06:35 AM
Stupid question perhaps and a tad off topic but is there any cost attached with requesting a custom app/signature? Or will any new app eventually be included in the standard application db (provided it's accepted as a new app)?
05-08-2012 06:49 AM
No cost to my knowledge.
The tricky part is as you already mentioned to convince the app-people that this particular app should be part of the global appid-db.
05-08-2012 09:28 AM
Hello,
Downloader apps aren't using any specific protocols : they download files over HTTP or FTP, so creating an application is hard/non-revelant to the definition of an application as they are used in PA.
05-08-2012 10:33 AM
Thanks, mate. I was pretty sure that this was the answer, but wanted to hear back from the community.
Alex
05-08-2012 01:27 PM
I disagree...
If you take a look at applipedia (http://apps.paloaltonetworks.com/applipedia/) and select file-sharing and browser-based you will see shitload of apps that is just that - downloaders:
4shared, bigupload, easy-share, megaupload and so on (currently 84 appid's matching the above search).
Hopefully the download "accelerator" that the thread starter uses will use some useragent or such which you can identify the flow at (and by that create your custom application).
05-08-2012 01:46 PM
So ... If a jDownloader is used to download a file on Easyshare, is it Easyshare application or jDownloader ?
You are mixing Websites that are providing a service (so it can be called an application) and Programs that runs on PCs.
4shared, bigupload, easy-share, megaupload : all of them are website that are providing a service and so it is considered as an application. If you use InternetExplorer to access Dropbox or a third party program, it will be considered as Dropbox application.
In addition, nowadays many downloader programs are faking User-Agents (or at least give people the ability to change it in its configurations menus) to bypass corp restrictions or filtering.
05-08-2012 02:07 PM
In that case I would use best-match which would give jDownloader as final result.
You can compare it to using your web-browser and visit youtube. Is it web-browsing or is it youtube? Actually its both (which you will see if you enable log on session start how the flow hops between applications).
You can also search on "management" and "client-server" in applipedia to see various applications (runned on the client) and not applications as in which url is being visited.
But sure in order to successfully identify jdownloader there has to be something to identify at.
Useragent is one of the things (since its using http). Another thing could be, in combination with useragent, which headers are actually being used (present) and in which order? Perhaps chunked downloading is being used? Or multiple sessions towards the same ip address? and so on.
There can also be secondary trigger points which can be used - in case the application phones home, similar to how skype is being identified (sure you can block skype with PA but to do this you are forced to allow skype-probe to pass through).
With PA you can at least be sure that HTTP is allowed and nothing else. If you want to block which browser the client uses to download stuff over HTTP you need to apply whitelisting on the client computers (there are several products that does this on the market with various results, http://www.cryptzone.com/products/se46-application-whitelisting/ is one of them).
05-09-2012 01:20 AM
If that was useful/revelant , there would already exist applications called Firefox, Chrome, IE and Safari. They are all clients for well known protocols.
If you look at client-server apps, they do not guarantee you are usuing official client for the application, it only recognizes the network behaviour/protocol of the service offered, not the program/binary behind this traffic. In addition, while User-Agent will work in most cases for HTTP (if you except the fact that it can be faked easily), other protocols don't have this kind of feature (ie: smtp, imap, pop, remote desktop, exchange ...all of them have compatible but no way to identify it at firewall level)
In fact, PaloAlto should have called it ServiceID instead of AppID, it would have been clearer for everyone.
Note that I am not against a "ProgramID" but I barely see it maintainable and accurate.
05-09-2012 02:25 AM
Well of course because PA is analyzing the network flows and nothing else.
Anyone can use Wget to make it look like a Firefox session (or even do this manually with a perl-script or such) - faking useragent, which headers are being used (and in which order), run a check for latest google bad sites update and other stuff a true Firefox session would do on the network.
Perhaps Globalprotect can be expanded in future to cover what actually happends on the client (and server) side aswell?
IMHO ProtocolID (instead of ApplicationID) would be a better description of what PA actually is doing in order to not confuse with the word application which often means software on a computer. But then someone would argue that windowsupdate isnt a protocol while HTTP is and so on 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
