Turn off Application ID globally?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Turn off Application ID globally?

Not applicable

Can one turn off the application awarenes globally to set up a PAN as a L4 firewall? Trying to get some comparison stats against the old L4 only (non PAN) firewall and the new PAN.

thanks.

6 REPLIES 6

L5 Sessionator

I don't believe there is a global setting to turn of appid, but you can configure two application override policies( https://live.paloaltonetworks.com/docs/DOC-1071) and include all ports (1-65535) for  both tcp and udp.

So basically create two custom applications one for tcp(tcp/1-65535), the other for udp(udp/1-65535) and create two policies one for all tcp ports the other for all udp ports

Haha wow I never thought about trying to benchmark App-ID versus non-App-ID in this way... yes this in theory should work, if you built app overrides for any to any traffic and bind them to the App-IDs that define every TCP port and every UDP port.

You'd have to build more specific app overrides for specific ports if you wanted to actually firewall I suppose... or I guess your rules could be defined as App 'any' and define specific services in the service column... this would in essence give you a traditional layer 4 firewall.

Interesting stuff... I have a Breaking Point appliance, and it's tempting to go build this in the lab and see what kind of performance I get out of it compared to App-ID being on,

keep in mind a rule with a custom application override does not pass through any of the URL, threat or anti-virus scanning engines.  The scanning engine will be used with an app-override if you use an existing built-in application such as web-browsing.

The above information can also be found at the following link

Application Override and Scanning Engines

Hope this helps.

Thanks

Numan

Would be nice if those numbers could be posted online 🙂

Specially the case between appid override which disables everything vs "appid:any" which should be equal (at least securitywise).

I think Network World got slightly lower throughput when they tried to "disable everything" and one of the theories back then was that a disable added one (or more) cpu-cycles within the PA which would end up with 1%'ish lower throughput. That is the PA will do AppID no matter what, when you disable/ignore the result from the AppID it will take one (or more) additional cpu/fpga/asic cycles to ignore the result.

I'm trying to get more throughput through my 2020.  I got the gig interfaces but the FW app ID performance are 500Mb.  I want to terminate a  Gig Eth circuit to the FW but don't want to impede performance.  The circuit carries our VM replication, TSM backup, file sharing, and management.  I was expecting that application override would be the best choice to implement, but the Network World comment had me guessing.  Any further thoughts or comments on this one?

Thank you

  • 3089 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!