What application will be blocked by App ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What application will be blocked by App ID

L1 Bithead
If we want to blocked video streaming, team viewer, logme in, , youtube etc basis on App ID. We dont have URL filtering license.
8 REPLIES 8

L4 Transporter

There are couple of ways to do this,

 

1.  go to https://applipedia.paloaltonetworks.com/  and search for the applications that you know that you want to block.  

 

2.  setup a test machine, and create security rule with test machine as source and place it on the very top of the rule set to allow outbound and have a deny all outbound rule for the test machine after the allow outbound.   Enable logging and review the traffic log after each application that you are interested to block (make sure you close application or end the streaming first), you should see the specific app-id identify by the traffic log.  Create another deny rule and place it above the allow rule to deny those specific app-id.  Repeat until you get them all.   

 

Since you did not specific which video streaming services/application, that could be tricky because some services could show up as http-video or SSL (encrypted),  you will need test and be a detective for a while.   If you want to block those video streaming using SSL, you will need to enable SSH decrpytion, that you may want to search on the technote how to and get URL license as well.  Since you may not want to decrypte SSL sessions going to health care, banking site, etc..  

 

Have fun,

 

 

For the most part, App-ID should be sufficient even without SSL decryption since the built-in app definitions use multiple vectors to detect what's being accessed. The easiest approach is just to attempt to do what you wish to block and verify the app is properly detected in the traffic log and then add those apps to a blacklist policy.

 

if that's not enough, you can also block by domain, keeping in mind that many apps source from multiple domains.

 

but I do agree that SSL decryption would be a difficult jump to make without a URL license as banking and healthcare are at least two of the categories you likely don't want to mess with, and there may be even more to worry about in Europe.

We want to block youtube streaming.

We want to block youtube streaming via Palo Alto. We create the Custom URL Category "testing" and enter the site "*.youtube.com" (with quotation). We select the testing category in Decrpytion profile and Action "Decrpyt" and Type SSL Forwarding. We create the security policy src:any, destination:any and deny youtube-base. But still we can we view streaming on chrome and firefox.

have you tried application filter to block video apps ?

 

application filter.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

For this we require Decryption policy right. As per my knowledge, desktop based applucation will be block without ssl decryption and for browser based using https we must use decryption policy.

Another thing i want to know that if i dont have URL filtering license, still i got the ogs what application example google drive go the which URL's.

as I mentioned earlier, while it may sound counterintuitive, Palo Alto AppID is able to identify some apps even when SSL is not decrypted. Obviously it can't inspect traffic, but it can use other environmental aspects to help categorize traffic. PA won't disclose all the attributes AppID uses, but obviously if someone is going to youtube.com, they're likely using the youtube-base app.

 

You can witness this yourself in the PA traffic logs.

for any encrypted traffic that's not getting decrypted, (and also as primary means of categorizing before encryption can take place) AppID will use the SNI (Server Name Indication) which is included in the ssl handshake to identify the application

 

so as long as your browser support SNI, you should be getting fairly accurate AppID

 

in case the browser does not support SNI, AppID will try to identify the app based on the certificate CN, but this may not be as accurate as youtube uses *.google.com (hence AppID would be google-base)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 6000 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!