11-23-2011 12:36 AM
hi!
digging through the logs of our PA-2020 showed that at some point after Nov 3rd it was not able to recognize youtube as an application any more. since we upgraded from 4.0.7 to 4.1.0 a few days later, I was wondering if you have any idea what might be the cause of this behavior since all other applications seem to be recognized correctly? broken application signatures?
BR, Andrej
11-24-2011 02:07 AM
hi!
I'd say we are running the latest available signatures
Application version 278-1187
Threat version 278-1187
Antivirus version 618-840
URL Filtering version 3745
BR, Andrej
11-28-2011 05:49 PM
I would assume if the application does not show up as youtube it is either detected as web-browsing or ssl. Are you blocking your users from access to youtube and now it is allow access since the application is not detected?
11-29-2011 12:57 PM
hi!
since PA-2050 is deployed in TAP mode, we are actually only monitoring internet traffic. you are indeed correct about application identification: in the URL filtering log access to www.youtube.com/watch?.... is always identified as web-browsing.
BR, Andrej
11-30-2011 07:08 PM
This should be expected behavior. the application in the url logs will be web-browsing. if you go to the traffic logs do you see youtube-base?
11-30-2011 07:20 PM
I just check on another device and you are correct it can be vary on the application for url filtering logs. i was testing on a lab unit but only saw web-browsing.
if you can log a case online we can have our content team look into this.
12-02-2011 12:05 PM
hi!
it turned out that changing the action from "block" to "alert" in the URL filtering profile completely changed the device's ability to detect Youtube. if the option "alert" is used both our PA-2020 and PA-2050 deployed in TAP mode are able to correctly identify Youtube traffic.
br, Andrej
12-02-2011 02:52 PM
@santonic:
the behavior that you describe is expected. Here's a synopsis of the two scenarios you describe:
URL action == block
1. three way handshake
2. first packet after the three-way handshake allows the device to identify application web-browsing
3. packet passed to URL filtering for decision
4. block decision causes session termination. no further identification work required. we will never identify as a child application of web-browsing
URL action == alert|allow
1. three way handshake
2. first packet after the three-way handshake allows the device to identify application web-browsing
3. packet passed to URL filtering for decision
4. alert|allow decision is made
5. packets are inspected to determine if application is a child app of web-browsing (such as you-tube)
12-08-2011 12:38 AM
Makes sense, thanx for the explanation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
