RabbitMQ App-ID Misidentified

Reply
jeff6strings
L2 Linker

RabbitMQ App-ID Misidentified

We have a Security Policy Rule with Application rabbitmq, and Service is application-default. In the same Security Policy Rule, we allowed the dependant applications amqp and SSL. When we test traffic, in the Traffic log, we see it matching the zones and interfaces and IP addresses as we expect, but the rabbitmq application is identified as web-browsing, and so it is hitting the interzone-default rule.

After creating an Application Override for each port (TCP 5672 and 5671) and using the built-in app ID of rabbitmq in the override policy, the application is identified correctly in the traffic logs.

 

Is it possible the signature of the version of RabbitMQ we are using is different from the built-in App-ID?

I appreciate any help.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
OtakarKlier
Cyber Elite

Hello,

Prior to running a app override, have you tried adding web-browsing to the policy? The PAN usually needs a few packets to try and identify the application and maybe see's it was web-browsing prior to rabbitmq? Just a thought as I have seen this with other apps in the past.

 

The issue I have with the override is that it bypasses threat detection and should only be used when you are absolutely certain its clean traffic.

 

I always stick with the default apps and maybe change a port/service but thats about it.

 

Just a thought.

BPry
Cyber Elite

@OtakarKlier,

The app-id for RabbitMQ assumes that you are using encryption, but it doesn't sound like you are in your environment based off of that web-browsing identification. In that case, I would expect that simply adding web-browsing would allow the traffic to work as expected like @OtakarKlier mentioned would allow the app-id to work without needing the application-override. 

jeff6strings
L2 Linker

Thanks for the replies.

We don't have decryption, and the web-browsing App-ID is already in the same security policy. I asked our developer who is working with RabbitMQ for the script he is testing and the response when it is run, and it is using an HTTP header; script message output (partial): "Error getting HTTP response". I'm assuming it's HTTP but not port 80, and instead, I confirmed it is using TCP 5672.

 

Once I enabled the App Override, the traffic is allowed and identified correctly. Could the problem be we are not using decryption? I know the built-in App-IDs use signatures, so could our version of RabbitMQ not have the same signature? If so, is it possible for a signature to be different? My concern is if the version of RabbitMQ we have is not official or maybe altered.

 

Again, I appreciate any help.

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
jeff6strings
L2 Linker

Bumping. Appreciate any help.

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!