Security rules when ISP is caching?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security rules when ISP is caching?

L2 Linker

In looking at outbound traffic I can see quite a bit to a network range owned by my ISP. I'm guessing that it's a cache. The application traffic seems to be what one would expect to be efficiently cached (ms-update, symantec-av-update, http-video, etc).

How do you write rules for that? Or is it that, say, Microsoft is taking an ms-update request and pointing the connection to the cache (based on my IP)?

1 accepted solution

Accepted Solutions

In order to do that you will have to create a custom application.Below docs can shows two different ways you can do it

How to Create an Application Override Policy

Custom Application Signatures

Hope this helps you resolve the issue.


Thank you

Numan 

View solution in original post

4 REPLIES 4

L5 Sessionator

Hello,

I am not sure if i understanding your questions correctly.

However if you are trying to block certain type of traffic why would you do it in a traditional manner of blocking it based on IP. Rather you should be taking advantage of the AppID and block it based on the application name.
Doing this you will not have to worry about keeping track of what IP is cached and what IP you need to block. Hope this help in blocking the desired traffic.
Thank you

Numan

L7 Applicator

From the point of view of security, you may have two types of rules.

If you are trusting the ip range because this is your selected ISP and you trust what they choose to source from this range.  Then write a traditional ip address based allow rule from your network.

If you are allowing the listed applications, then you create an application based allow rule to any ip address and permit the traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I'd like to tightly secure the outbound traffic I'm talking about. I'd rather not use just IP or just Application. I'd like to use both. A sample use case:

Some McAfee EPO traffic is being served from the cache. It is classified as web-browsing. I'd like to prevent general web browsing from that EPO server.

In order to do that you will have to create a custom application.Below docs can shows two different ways you can do it

How to Create an Application Override Policy

Custom Application Signatures

Hope this helps you resolve the issue.


Thank you

Numan 

  • 1 accepted solution
  • 3070 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!