cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

App-id Matching Process

L0 Member

I'm running PA-VM and created with one active rule:

 

From: Inside

To: Outside

Application: Web Basic Application group (ssl,dns,web-browsing,ping)

Service: application-default

Action: Allow

SSL Decryption is disabled

 

 PA-Rules.png

 

I'm facing issues browsing to websites with preconfigured App-ids:

Not working:

linkedin/soundcloud/batte.net/docs.google.com(any other website specified app-id)

Working:

youtube/google(search-engine)

 

I'm running PA that doesn't have the google-base yet.

 

"During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0

1.)

I ran it in the Lab, and the results were different:

PC ---> TLS Client Hello(server-name=www.linked.com) ---> FW ---> Linkedin (Sent)

Linkedin ---> TLS Server Hello -- FW ----> DROPPED

Application is listed as linkedin-base with action Discard

 

Certificate from Linkedin is not sent until Linkedin recevices ACK on the TLS Server Hello.

Which i tested on a pc with direct internet access, this contradicts the post from Palo Alto Knowledge Base

linkedin-server-certificate.png

 

 

2.)

I tested HTTP & HTTPS to battle.net

 

Note: battle.net is redirect to blizzard.com

 

With HTTP:

- Dropped and classifed as battle.net in traffic monitor

- HTTP GET is dropped on the firewall side

- Classified as battle.net App-id

 

With HTTPS:

- Works succesfully and redirected

- Comman Name in the Certificate provided in Server Certificate is www.battle.net - This should be matched by the app-id engine but is listed as an SSL application

 

My question is, does it use certificate to match the app-id and/or HTTP Get?

 

 

How does the actual matching process work and why doesn't work the same across the board?

 

Software: 7.0.1

Application Version: 497-2688

 

Thanks guys

Who Me Too'd this topic