Is New App ID Rule Setup Correctly?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is New App ID Rule Setup Correctly?

L2 Linker

Its getting a lot of hits, I setup Application filter for new app IDs and added them to their own Security Policy rule. Does this look correctly? Im confused as to why its getting so many hits. 

DuggiFresh_0-1680043214733.png

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

All outgoing connections that don't get past TCP 3way handshake will match your New Apps rule.

Find application that you permit out anyway and add rule above it to collect all incompletes.

Example below with traceroute.

 

Source - inside

Destination - outside

Application - traceroute

Service - any

Action - allow

 

This will collect all incomlete sessions and your chosen app and keep New Apps rule clean.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

6 REPLIES 6

L2 Linker

Any Ideas as to why it would have so many hits on this rule? All the traffic hitting this rule is unable to identify the application. 

Cyber Elite
Cyber Elite

@DuggiFresh,

Gonna go out on a limb and say that this is the first app-id based rule that you have in your rulebase? If that's the case, that'll match a whole lot of traffic as the firewall needs to allow enough traffic to identify the application. As soon as the application is identified, the firewall will reanlyze the rulebase and pass the traffic to the corresponding entry.

 

As long as this is the first app-id based rule that is in your rulebase, or is the first for at least a subset of your users, this is expected behavior. 

Cyber Elite
Cyber Elite

All outgoing connections that don't get past TCP 3way handshake will match your New Apps rule.

Find application that you permit out anyway and add rule above it to collect all incompletes.

Example below with traceroute.

 

Source - inside

Destination - outside

Application - traceroute

Service - any

Action - allow

 

This will collect all incomlete sessions and your chosen app and keep New Apps rule clean.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

So this rule should be near the bottom of my policies, below my identified apps? I have my applications identified in my policies.

Cyber Elite
Cyber Elite

New Apps rule should be before any of other outgoing rules if you want to have correct reporting.

If you want to keep New Apps rule log clean you need to add incomplete collector rule above it according to my example from previous post.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you, Do I need new app ID rule for Inside to inside? 

  • 1 accepted solution
  • 2610 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!