02-24-2010 08:11 AM
Hello,
I was testing custom http based apps, and in this context i created a custom app based on a signature in the host field of the http header. The problem is that it function properly only if i permit the app web-brosing in the same rule. By logging at the begining and at the end of the session i noticed that whene session starts, the traffic was identified as web brosing, and then it switches to be identified as the custom app. Also whene i dont permit web-brosing, the traffic will be dropped and the firewall is no longer able to identifie the custom app. So is it required to permit web-brosing to get this kind off apps to work, it is not souhaitable in my case, so is there any solution to this problem?
Thank you all.
02-24-2010 08:29 AM
The web-browsing application essentially represents the basic HTTP functionality. It is required in order for the system to further decode and process HTTP requests. Without allowing the traffic to be processed by the HTTP decoder, we cannot look further for other HTTP-based applications. This is why allowing the web-browsing application is a requirement for other HTTP-based applications.
If you can provide some more detail about the policy you are trying to implement, we may be able to come up with a solution through creative rule ordering, src/dst controls or some other combination.
Mike
02-24-2010 08:47 AM
Thank you Mike for your fast response.
In my case, i'am triying to create a rule in wich i permit only the custom http based app. The pupose is to use this functionality as the onlu filtering criteria and to take out the src/dst ip addresses.
The rule will look like this :
src-zone-inetrnet src-add-any dst-zone-intranet dst-add-any custom-app permit
So if we allow the web-brosing app in addition to the custom app, this will allow all http traffic coming from internet to go throw the firewall, and this is not what we try to do.
So if there is any soultion to make this work withtout being compelled to allow web-browsing, that will be great.
02-24-2010 10:05 AM
You might try adding a URL filtering profile to that security policy rule that only allows access to that web server or domain so the web-browsing application doesn't allow access to other URLs.
Kelly
02-25-2010 01:32 AM
Thanks, for yours answers.
We'll try this today. We'll post the result.
I had a dream ........ A firewall without any IP rules :smileycool:
01-14-2011 12:19 PM
Adding URL filtering is one more layer, but you are still not addressing the custom app question. I have a similar scenerio that I would like to allow only a specific app, but it requires web-browsing. Then why even use the specific app in the policy rule?
I understand the reason why web-browsing is needed to further decode to identify the specif app, but when adding the app-id's in the policy together (which I believe they are OR'd), the web-browsing app over-rides the specific app that you want to ONLY allow.....meaing its useless to add a specific app that requires web-browsing in order to work.
01-14-2011 12:34 PM
Today the best practice is to use URL filtering and Web-app policies together for optimal coverage. As you mentioned - web-browsing is basically the http decoder, so http is a prerequisite for identifying lower-layer apps.
There will be some future enhancements that will allow you to use only the specific app-id's without requiring the web-browsing application.
Cheers,
Kelly
11-15-2011 12:17 AM
Any progress on these enhancements? Have you targeted a specific release milestone?
11-15-2011 06:07 PM
@SklKT:
If you wish to discuss product roadmaps and the expected release date for new features you will need to talk to your sales team.
This forum is not the proper venue for this sort of discussion.
Thank you,
Benjamin
11-16-2011 07:47 AM
+1. Would be nice to have a AND - OR qualifiers.
Also, not everyone subscribes to the URL filtering service. AFAIK, there is not yet a generic URL filtering methodology (user controlled only without subscription requirement).
11-16-2011 07:49 AM
If our wants are not expressed in an open forum, then this is not a democracy;)
11-16-2011 07:53 PM
Who said this was a democracy? 
You can use URL filtering for custom, user defined categories without a URL filtering subscription to the categorization database.
Cheers,
Kelly
11-16-2011 11:20 PM
I'm sorry, I did not know these kinds of questions where unwanted in the forums. However, I never asked for release dates.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
