Question regarding unknown application behaviour

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Question regarding unknown application behaviour

L4 Transporter

Lets say you configure a rule with:

Application = Any

Service = Custom Service (TCP port 12345)

Now when the AppID engine cannot match anything I guess it classifies the traffic as "unknown-tcp".

Will the traffic be allowed (because unknown-tcp is part of Any and the firewall will practically act as statefull firewall) or will it be denied?

What is the purpose of Application Overrides? This seems complicated to me since you have to go to a different policy section and configure it in addition to the actual firewall rule.

Thanks in advance.

5 REPLIES 5

L4 Transporter

When you set the application to any and just define a port, it acts like a basic firewall. Not matter what application is being used (DNS/SMTP/Web-Browsing/SSL), it's going to be allowed as long as it's using the defined port/service.

Application Override policies bypass the App-ID engine.

An application override policy is used to change the way the firewall classifies network traffic into applications.  An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. The firewall is forced to handle the session as a regular stateful inspection firewall at Layer-4.  If an existing application, web-browsing, for example, is used in the application override, the rule will force all matching traffic into Layer-7 inspection for that specific application.

An application override could be used wilth custom internal applications that use non-standard port numbers or internal applications that are classified by the firewall as "unknown" and custom definitions have been created for them.

Application Override and Scanning Engines

L6 Presenter

No...

What your rule actually means is "allow if tcp port = 12345, dont care which appid is identified" (assuming your action was allow).

Which means that if you set "appid=any" to all your rules then PA will work just like any SPI-firewall (only looking at srcip, dstip, srcport, dstport (if we ignore the other features which PA have like IPS, AV, SSL termination, URL categorization etc)).

Unknown-tcp is a session/flow which doesnt match any known appid. There is also unknown-udp and unknown-p2p.

So in your case unknown-tcp will be allowed aswell.

A recommendation is therefor to put a specific action=deny for appid=unknown-tcp, unknown-udp and unknown-p2p.

Note however that some appid's demands that unknown traffic is being allowed in order to fully identify the appid in question.

Application overrides is to manually force the PA to detect specific traffic as a appid.

Either due to reporting (for example if you for some reasons know that traffic going to x.x.x.x TCP80 is always http, then you could setup an application override to "dstip=x.x.x.x, dstport=80, proto=tcp, override=web-browsing". The override can also be used if PA incorrectly identifies a specific flow as wrong appid type.

Usually override isnt used (except for the case when PA misidentifies a flow).

L4 Transporter

OK, so if AppID=Any and Service=Custom (TCP / UDP / Port number / range) then the device works like a traditional stateful firewall (even if AppID classifies the traffic as unknown)?

Would that approach be a viable option for a migration in large enterprise environment with a lot of firewall rules allowing proprietary applications where no signature for AppID exists (inhouse application, niche applications). At least for a transition phase until a custom AppID definition can be created or research can be done what is actually transfered over the connection (may be with help of the log or reporting).

Another question: Web Server in DMZ hosting web sites, which application would you use here to allow connections from public Internet to the web server in the DMZ: web-browsing? That sounds inappropriate but there is no web-hosting application in applipedia?

Would that approach be a viable option for a migration in large enterprise environment with a lot of firewall rules allowing proprietary applications where no signature for AppID exists (inhouse application, niche applications). At least for a transition phase until a custom AppID definition can be created or research can be done what is actually transfered over the connection (may be with help of the log or reporting).

Talk to your SE. They might have a migration tool to help you get from your current firewall to the Palo Alto. But yes, that's the way I did it way back on PAN-OS 2.0. Then you can use the custom reports to see what apps are actually being used (and that you approve of) and you can start setting them in the security policy.

Another question: Web Server in DMZ hosting web sites, which application would you use here to allow connections from public Internet to the web server in the DMZ: web-browsing? That sounds inappropriate but there is no web-hosting application in applipedia?

It would be web-browsing. Web-browsing is the parent app for HTTP requests. (You have to be careful. You may have child apps like hotmail and web-crawlers accessing your website that be blocked if you just allow web-browsing.)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!