Please Release App-IDs for IBM AS400 user traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Please Release App-IDs for IBM AS400 user traffic

L2 Linker

Hi,

 

we have noticed traffic from users connecting to mainframes/midranges is showing as "unknown-tcp" and "insufficient-data" for the following ports:

 

TCP/449 (Server Mapper)

TCP/8470 (License Management)

TCP/8471 (Database Access)

TCP/8475 (Remote Command)
TCP/8476 (Signon Verification)

 

TCP/23 is of course being correctly identified as telnet. All of these ports are documented in the following IBM article:

 

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions

 

I was surprised to find that PA doesn't have Apps for this popular enterprise application. Is there a chance an AppID series is upcoming for this kind of traffic? We already filed a request at https://www.paloaltonetworks.com/blog/submit-an-application/

 

Cheers

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @Pnero1991 ,

 

I understand your frustration.  A search on IBM under Objects > Applications yields 12 results.  So, PANW has already identified many IBM apps.  It would be nice from them to add 4 more.  Thank you for submitting the App-ID request!

 

If you need something more immediate, this is an excellent overview for custom applications to identify unknown protocols.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-custom-or-unknown-applicati...

 

Here are the bullet points:

 

  • Creating a custom app with signature (regex in packet capture to uniquely identify the app) and the correct parent application will allow you to identify the app with L7 inspection.
  • Creating a custom app with Application Override is much easier because the app in your case can be identified by destination IP and L4 port.  However, it will bypass L7 inspection.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0  I don't know if the NGFW does L7 inspection on unknown apps anyway.  So, you may not miss anything by going this route.

 

I am curious what L7 inspection you would bypass.  AV will not apply to those protocols.  AS applies mainly to Command and Control.  If the IBM is hacked and reaches out to the Internet, you would not catch it.  You could just block outbound access for the IBM.  Under Objects > Security Profiles > Vulnerability Protect [edit profile] > Exceptions > check "Show all signatures" > filter by "ibm", I see 201 signatures.  Anyway, I digress.  The point is that App Override may provide the visibility that you want without much drawback because I am not sure how much L7 protection is applied to these unknown protocols.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

thank you for your response. No frustration here actually, AppID is performing amazing as usual, the unknown-tcp just stood out because the PA usually catches everything and this program is used heavily in the environment.

 

I think we might be able to get away with just 1 new app, I believe the software is called "IBM i Access". According to the article, in most cases it uses only 4 TCP ports.

 

Re: custom app, I already started developing a custom App and I'm finding many bit strings that are nice and long and shouldn't be too hard on the dataplane. I'm hoping that by setting "unknown-tcp" as parent app that we could get at least the IPS engine working, because in Wireshark I can see some actual SQL queries being embedded in this protocol. But in any case, the biggest benefits will be the visibility and ease of creating policies.

 

Cheers

  • 2374 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!