I have installed Palo (in tap mode) in front of MS TMG proxy. In attachment I put a picture with the applications he recognizes. Http-proxy application is always the application with the most received bytes, but Palo also recognizes other applications so my questions is: what kind of traffic Palo catagorizes as a http-proxy? Is it traffic which he cannot reconize inside http-proxy packet as some other application or something else? Is this because Palo is installed in tap mode?
Another thing is - every time I install Palo in tap mode, in URL Filtering log there are only 3 applications (ssl, web-browsing and http-proxy). Is it ok? Other Palo firewalls I installed (virtual-wire and Layer3 modes) in URL Filtering log have more applications.
Since you have the PA device in front of your proxy server, that traffic will be detected as http-proxy application. Depending on where you visit, other applications may be detected inside the http-proxy traffic. So if you visit gmail, youtube, facebook, then the PA device will log those applications when they are detected.
Yes, you typically see web-browsing, http-proxy & ssl applications in the URL log because those traffic generated the URL requests.
Traffic that generated URL log is traffic to www.facebook.com, mail.google.com, www.youtube.com...., but I don't see that applications only web-browsing, ssl or http-proxy application. In other firewalls with the same software version in URL log I see facebook, youtube and other applications for www.facebook.com, www.youtube.com and other URLs. Does that meen that this traffic is recognized as http-proxy application in traffic log? I looked at related logs and for some traffic in traffic log there is matching traffic log with correct application, but for some traffic there isn't. Mainly, youtube URLs are recognized as http-proxy or web-browsing applications in traffic log. See picture.
Let's say you visited www.facebook.com, the PA device will initially detect the traffic as http-proxy so it logs the traffic as appp=http-proxy. At this time the URL log would show the app as http-proxy. After the reply from the web server, the PA device scans the reply and deems that the app=web-browsing because the reply contains elements to suggest it is an HTTP web server. With more contents arriving, the PA device will detect that it is facebook and log the traffic as facebook-base in the traffic log. However, the URL log would have logged the initial request and its associated app at the time as http-proxy.
So depending on when the URL request was received, the appID may change as the PA device continually analyzes the traffic.
This behavior seems abnormal to me. I had previously opened a ticket for this and received a similar answer. The strange thing is that when you look at the traffic log for the same data, it correctly identifies the application. So the application identification seems to work as I would expect in the traffic logs but not in the URL logs. Support mentioned this is scheduled to be fixed in 5.x versions. Is this still the case?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!