03-10-2021 06:34 AM - edited 03-10-2021 06:37 AM
Hi Team,
We have a client who do not have SSL decryption and has many third-party applications working over SSL on different ports other than 443.
The client has a security requirement that all applications need to be categorized by Palo alto firewall, so they do not wish to use any service ports in the Service column field. Also, they do not wish to use the Parent App field where a security rule must exist to allow the Parent App for the custom app to be working. So, we have decided to go through that route and create a custom application for their app working over SSL port 8443. And added this signature
http/1.1 in hex \x 68 74 74 70 2f 31 2e 31 \x. And this is where everything went downside, all SSL traffic stopped working and all traffic started being recognized as the custom app. Since the amount of information SSL hello is limited, we couldn't find any additional information to add to the custom app. What do you guys suggest to use for custom apps running SSL traffic when you do not have decryption.
03-10-2021 07:08 AM
Ya, as you saw you definitely don't want to make such a simple signature in a custom app-id without additional conditional statements. When you're looking at the traffic what actually stays the same? While it's true that you're going to be limited if they aren't decrypting traffic, you still have a good amount of data to work with. When possible I try to get ssl-req-client-hello and match the server name. Keep in mind that the more data you can identify to create additional criteria with the better, it's only going to make your app-id more reliable if you do things correctly.
03-10-2021 07:08 AM
Ya, as you saw you definitely don't want to make such a simple signature in a custom app-id without additional conditional statements. When you're looking at the traffic what actually stays the same? While it's true that you're going to be limited if they aren't decrypting traffic, you still have a good amount of data to work with. When possible I try to get ssl-req-client-hello and match the server name. Keep in mind that the more data you can identify to create additional criteria with the better, it's only going to make your app-id more reliable if you do things correctly.
03-10-2021 02:51 PM
Thank you so much. I had asked the client to telnet to a hostname instead of an IP for us to create the signature based on the SNI field and it worked!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
