I was testing custom http based apps, and in this context i created a custom app based on a signature in the host field of the http header. The problem is that it function properly only if i permit the app web-brosing in the same rule. By logging at the begining and at the end of the session i noticed that whene session starts, the traffic was identified as web brosing, and then it switches to be identified as the custom app. Also whene i dont permit web-brosing, the traffic will be dropped and the firewall is no longer able to identifie the custom app. So is it required to permit web-brosing to get this kind off apps to work, it is not souhaitable in my case, so is there any solution to this problem?
Thank you all.
The web-browsing application essentially represents the basic HTTP functionality. It is required in order for the system to further decode and process HTTP requests. Without allowing the traffic to be processed by the HTTP decoder, we cannot look further for other HTTP-based applications. This is why allowing the web-browsing application is a requirement for other HTTP-based applications.
If you can provide some more detail about the policy you are trying to implement, we may be able to come up with a solution through creative rule ordering, src/dst controls or some other combination.
Thank you Mike for your fast response.
In my case, i'am triying to create a rule in wich i permit only the custom http based app. The pupose is to use this functionality as the onlu filtering criteria and to take out the src/dst ip addresses.
The rule will look like this :
src-zone-inetrnet src-add-any dst-zone-intranet dst-add-any custom-app permit
So if we allow the web-brosing app in addition to the custom app, this will allow all http traffic coming from internet to go throw the firewall, and this is not what we try to do.
So if there is any soultion to make this work withtout being compelled to allow web-browsing, that will be great.
Adding URL filtering is one more layer, but you are still not addressing the custom app question. I have a similar scenerio that I would like to allow only a specific app, but it requires web-browsing. Then why even use the specific app in the policy rule?
I understand the reason why web-browsing is needed to further decode to identify the specif app, but when adding the app-id's in the policy together (which I believe they are OR'd), the web-browsing app over-rides the specific app that you want to ONLY allow.....meaing its useless to add a specific app that requires web-browsing in order to work.
Today the best practice is to use URL filtering and Web-app policies together for optimal coverage. As you mentioned - web-browsing is basically the http decoder, so http is a prerequisite for identifying lower-layer apps.
There will be some future enhancements that will allow you to use only the specific app-id's without requiring the web-browsing application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!