- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
we have noticed traffic from users connecting to mainframes/midranges is showing as "unknown-tcp" and "insufficient-data" for the following ports:
TCP/449 (Server Mapper)
TCP/8470 (License Management)
TCP/8471 (Database Access)
TCP/8475 (Remote Command)
TCP/8476 (Signon Verification)
TCP/23 is of course being correctly identified as telnet. All of these ports are documented in the following IBM article:
I was surprised to find that PA doesn't have Apps for this popular enterprise application. Is there a chance an AppID series is upcoming for this kind of traffic? We already filed a request at https://www.paloaltonetworks.com/blog/submit-an-application/
Hi @Pnero1991 ,
I understand your frustration. A search on IBM under Objects > Applications yields 12 results. So, PANW has already identified many IBM apps. It would be nice from them to add 4 more. Thank you for submitting the App-ID request!
If you need something more immediate, this is an excellent overview for custom applications to identify unknown protocols. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-custom-or-unknown-applicati...
Here are the bullet points:
I am curious what L7 inspection you would bypass. AV will not apply to those protocols. AS applies mainly to Command and Control. If the IBM is hacked and reaches out to the Internet, you would not catch it. You could just block outbound access for the IBM. Under Objects > Security Profiles > Vulnerability Protect [edit profile] > Exceptions > check "Show all signatures" > filter by "ibm", I see 201 signatures. Anyway, I digress. The point is that App Override may provide the visibility that you want without much drawback because I am not sure how much L7 protection is applied to these unknown protocols.
thank you for your response. No frustration here actually, AppID is performing amazing as usual, the unknown-tcp just stood out because the PA usually catches everything and this program is used heavily in the environment.
I think we might be able to get away with just 1 new app, I believe the software is called "IBM i Access". According to the article, in most cases it uses only 4 TCP ports.
Re: custom app, I already started developing a custom App and I'm finding many bit strings that are nice and long and shouldn't be too hard on the dataplane. I'm hoping that by setting "unknown-tcp" as parent app that we could get at least the IPS engine working, because in Wireshark I can see some actual SQL queries being embedded in this protocol. But in any case, the biggest benefits will be the visibility and ease of creating policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!