web-browsing a superset of applications

Reply
Highlighted
Not applicable

web-browsing a superset of applications

Hi,

I am very new to the PA.  I am configuring a PA500.  I hope it's OK to ask a beginners question here.

I want to allow web browsing generally.  I tried adding lots of applications but it got boring pretty quick.  I hope that the PA will do the work for me of weeding out bad web sites.  So now I have moved to a policy of allow all traffic to ports 80, 8080 and 443.  This does not seem to be the best way of doing it.  What I mean is that some applications, like for instance drop box, use other ports ie 17500.  Restricting traffic to particular ports doesn't allow the PA to do its application signature thing (does it).  On the other hand an "any application, on any port" policy seems to be a bit too permissive.  Are there supersets of applications?  Do web-browsing and ssl include say google and gmail?  If not what do they allow exactly?

Kim


Accepted Solutions
Highlighted
L6 Presenter

Re: web-browsing a superset of applications

Kim,

Yes order of the security profiles matters. As soon as the traffic hits the top policy we will not look for further security policies for that particular traffic. So your order is always important. With regards to the error message your are seeing different error messages. What it means is

    vsys1: Rule 'I2E-cisco-vpn' application dependency warning:    

Application 'ciscovpn' requires 'ike' be allowed, but 'ike' is denied in Rule 'I2E-appfilter'   

vsys1: Rule 'I2E-voip' application dependency warning:    

Application 'google-talk-base' requires 'jabber' be allowed   

  Application 'google-talk-base' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'I2E-appfilter'

This warning is an application dependency warning. If you allow an application say in this case ciscovpn that basically works with the help of other applications (depends) then you have to also allow the dependency application (ike) for the ciscovpn applicaiton to work. So please go ahead add the ike application to the same rule 'I2E-cisco-cpn'  Do the same for other rules.

Security Policy:     - Rule 'VPN-Access' shadows rule 'External2VPN'

This warning has to do with the order of the security rule . So if you have a pretty wide open security rule at the top of a narrow rule you are shadowing the narrow rule. For example if you have "any-any" rule that allows all the traffic on the top of a "deny-facebook" rule then the face book traffic will be allowes as you are having "any-any" rule that allows anything first. So order does matter.

Thanks,

Sandeep T

View solution in original post


All Replies
Highlighted
L6 Presenter

Re: web-browsing a superset of applications

Kim,

The best way to allow general internet applications and websites without having to add them manually is to use application filters.

This is best way to allow general internet applications when compared to allowing all the traffic or limiting the traffic only to port 80 8080 or 443.

Essentially you will follow these steps.

1) go to objects tab-->application filters.

2) create a new application filter based on your criteria, as you wanted to allow general internet applications select the category as general-internet, sub-category your choice and risk (select the applications with different risk levels).

So this way you will be able to select an application filter that is matching a wide range of applications of your interest. 2.PNG

I have created an application filter named test45.

3) Now use this filter in the security policy in the application tab. Select this application filter (test45) in the policy and for the service tab select application-default, This should be good .

Capture2.PNG

Hope this helps

Thanks,

Sandeep T

Highlighted
L6 Presenter

Re: web-browsing a superset of applications

Q: Restricting traffic to particular ports doesn't allow the PA to do its application signature thing (does it).

A: Incorrect. The application signature works at all time, however what you define in the service column will of course be the first tests to the traffic (if srczone/srcip/dstzone/dstip/service doesnt match the traffic wont be checked for appid). I would strongly recommend you to NEVER set service=any but rather service=application-default or, if possible, set it to the ports you really need. For example TCP22 for appid=ssh (if you run your ssh-server at TCP22 that is).

Q: On the other hand an "any application, on any port" policy seems to be a bit too permissive.

A: Yes and you need to keep that in mind. Depending on protocol it can take two or more packets in each direction before the appid is successfully identified (this is why I strongly recommend anyone to NOT use service=any). One way to limit the effects is if you (as one of the first rules) setup an action=deny for traffic identified as appid=unknown, unknown-tcp, unknown-udp, unknown-p2p.

Q: Are there supersets of applications?

A: Not that im aware of out of the blue (uhh scratch that, you can use application filtering to use supersets of applications since applications are classified into categories, subcategories and risks). When it comes to appid thats one of the tricky things to learn when it comes to a NGFW. In PA case a flow/session can only be identified as one appid at a time (but it can switch appid during its lifetime).

This gives that if you allow only web-browsing (and nothing else) and visit youtube (which has its own appid) - when the appid switches from web-browsing into youtube the traffic will be blocked (unless you allow youtube or an application filter where youtube is included in).

Q: Do web-browsing and ssl include say google and gmail?  If not what do they allow exactly?

A: Se above. The will identify web-browsing which isnt already identified as some other app. Same with ssl. If the traffic is gmail the identified appid will be gmail. But if the traffic is a new ssl based communication which PA currently doesnt have an appid for the result will be that the flow/session is identified as ssl.

Workarounds:

1) Do what Sandeep described. Setup an application filter where webbased applications are included along with appid=web-browsing. If you combine this with an action=deny for unknown traffic then only webbased traffic which the PA can identify will be able to pass through.

2) Another method (if you still want to allow unknown for some reason) is to create an IPS signature that will block traffic if the request doesnt contain http-method=GET||HEAD||POST (or whatever http methods you wish to allow).

Highlighted
Not applicable

Re: web-browsing a superset of applications

Hi,

Both of your answers were great.  I have another question that arose from your answer.  I decided on making a policy that excluded lots of things.  I put it last.

Does the order matter?  I ask this because I get this message when I commit:

VSYS1

    vsys1: Rule 'I2E-cisco-vpn' application dependency warning:

     Application 'ciscovpn' requires 'ike' be allowed, but 'ike' is denied in Rule 'I2E-appfilter'

    vsys1: Rule 'I2E-voip' application dependency warning:

     Application 'google-talk-base' requires 'jabber' be allowed

     Application 'google-talk-base' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'I2E-appfilter'

    Security Policy:

    - Rule 'VPN-Access' shadows rule 'External2VPN'

(Module: device)

Configuration committed successfully
Highlighted
L6 Presenter

Re: web-browsing a superset of applications

Kim,

Yes order of the security profiles matters. As soon as the traffic hits the top policy we will not look for further security policies for that particular traffic. So your order is always important. With regards to the error message your are seeing different error messages. What it means is

    vsys1: Rule 'I2E-cisco-vpn' application dependency warning:    

Application 'ciscovpn' requires 'ike' be allowed, but 'ike' is denied in Rule 'I2E-appfilter'   

vsys1: Rule 'I2E-voip' application dependency warning:    

Application 'google-talk-base' requires 'jabber' be allowed   

  Application 'google-talk-base' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'I2E-appfilter'

This warning is an application dependency warning. If you allow an application say in this case ciscovpn that basically works with the help of other applications (depends) then you have to also allow the dependency application (ike) for the ciscovpn applicaiton to work. So please go ahead add the ike application to the same rule 'I2E-cisco-cpn'  Do the same for other rules.

Security Policy:     - Rule 'VPN-Access' shadows rule 'External2VPN'

This warning has to do with the order of the security rule . So if you have a pretty wide open security rule at the top of a narrow rule you are shadowing the narrow rule. For example if you have "any-any" rule that allows all the traffic on the top of a "deny-facebook" rule then the face book traffic will be allowes as you are having "any-any" rule that allows anything first. So order does matter.

Thanks,

Sandeep T

View solution in original post

Highlighted
L6 Presenter

Re: web-browsing a superset of applications

PA uses top-down first-match (which I prefer over the other method used by freebsd and older allied telesis equipment where a later rule could "win" over a previous rule).

Highlighted
Not applicable

Re: web-browsing a superset of applications

I asked this because the 'I2E-cisco-vpn' rule comes first and is quite narrow, confined to one host.

The rule 'I2E-appfilter' comes near the end, after both the other rules.  So why the error?

Highlighted
L6 Presenter

Re: web-browsing a superset of applications

As i stated in my previous comment the error for 'l2E-cisco-vpn' has nothing to do with the order of the rule. It is related to the application dependencies.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!