unknown-tcp and web application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

unknown-tcp and web application

L4 Transporter

Hello Experts

 

Just want to know, 

 

1- If PA can not identify the web application then it will classify it as SSL/Web-browsing or unknown-tcp?

2- unknown-tcp and unkown-udp is only for client/server application?

 

Regards,

 

GR

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @ghostrider

 

in scenario 1, if the application has already been identified as ssl or web-browsing and no 'deeper' application can be determined, the session will remain ssl or web-browsing

 

for scenario2: if no application can be determined at all (a custom application or something completely new) but the session appears to flow normally (tcp handshake, normal flow of acks or in the case of udp, normal stream of packets) the session's application will be set to unknown-tcp/unknown-udp after about 2000 bytes/8 packets (4 packets after tcp handshake). This would also apply for peer-to-peer

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

11 REPLIES 11

L6 Presenter

If PA sees exchange of keys as they happen in SSL (and TLS) session the application will be recgnised as SSL and nothing further can be recognised unless you decrypt the session.

 

If traffic matches http protocol and no specific http application is recognised then the application will be recognised as web-browsing.

 

If the traffic is neither http protocol nor SSL/TLS session then it will be unknown TCP.

 

This is not official info, but I think it's correct. 

Cyber Elite
Cyber Elite

Hi @ghostrider

 

in scenario 1, if the application has already been identified as ssl or web-browsing and no 'deeper' application can be determined, the session will remain ssl or web-browsing

 

for scenario2: if no application can be determined at all (a custom application or something completely new) but the session appears to flow normally (tcp handshake, normal flow of acks or in the case of udp, normal stream of packets) the session's application will be set to unknown-tcp/unknown-udp after about 2000 bytes/8 packets (4 packets after tcp handshake). This would also apply for peer-to-peer

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you both. 

 

@reaper

1- In case of SSL decryption, then PA will then identify as web-browsing if no deeper application is identified?

2- Also for if deeper application is identified by PA and I only allow web-browsing in policy then PA will reject the traffic? I am asking because I have security policy for BLUECOAT PROXY to go to internet, if I allow only SSL, Web-browsing then it will work? as it is impractical to identify whole bunch of http applications in policy.

 

Appreicated your reply

1 - yes

2 - if you only allow web-browsing and SSL from your proxy to internet then you will have a lot of unhappy users and a lot of work. There are many ways to come to a good application policy. Either use application categories or make 2 groups (like GoodApps and BadApps) and try to fill them with apps that your users use. You can also make a combination of both; use categories and groups together where groups act like a white list or black list for overriding rules by categorization.

 

And in every scenarion your first decision will be; how to start. Either with all apps blocked except specific groups/categories and then slowly open more. Or only bad apps blocked and then slowly add more to blocked group. 

Thank for reply. Again sorry for my ignorance but want to ask:

 

1- In genral if I allow only web-browsing and SSL in security policy (assuming doing the SSL decryption) and PA identify the deepr application like fb-chat then in this case the access to that deeper application will be blocked? In short allowing web-browsing and SSL only, will not allow all web-applications?

2- Coming to proxy question, how I can know all the web applicaitons on internet, user will browse on internet and allow in policy?I just want allow all web-browsing and SSL from proxy to internet. What can I do?

1. Yes

2. Work with app categories or application filters as they are called. Or allow port 80 and 443 and only block selcted apps and/or categories. 

@santonic thank you!

@santonic Just one question, if I am not doing SSL decryption on PA, then all internet web-browsing would be boils down to SSL and web-browsing applications? So in security policy if I allow only web-browsing and SSL applications for bluecoat to internet traffic (browsing) then it would be fine right?

Nope.

 

On http traffic you will have a lot of applications always as it's not encrypted. 

 

On https traffic most of sessions will be recognised only as SSL without decryption. But in same cases (like for example TeamViewer where destination for CONNECT command is always something like *.teamviewer.com) specific application will be recognised even without decryption.

Community Team Member

Hi @ghostrider

 

santonic is right.  

If you check Objects > Applications and filter on Technology 'browser-based' you will find over 900 applications that fall into this category ... allowing only SSL and web-browsing appication won't be enough to allow them :

 

browser-based applicationsbrowser-based applications

 

Cheers !

-Kim.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

thanks. make sense !

  • 1 accepted solution
  • 8072 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!