Professional Documents
Culture Documents
Corporate Headquarters:
www.paloaltonetworks.com/company/contact-us
This guide takes you through the configuration and maintenance of your Palo Alto Networks next-generation firewall.
For additional information, refer to the following resources:
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.
App-ID Overview
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines what
an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the
application. It applies multiple classification mechanisms—application signatures, application protocol
decoding, and heuristics—to your network traffic stream to accurately identify applications.
Here's how App-ID identifies applications traversing your network:
Signatures are then applied to allowed traffic to identify the application based on unique application
properties and related transaction characteristics. The signature also determines if the application is being
used on its default port or it is using a non-standard port. If the traffic is allowed by policy, the traffic is then
scanned for threats and further analyzed for identifying the application more granularly.
If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in place, the
session is decrypted and application signatures are applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional context-based signatures to detect other
applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger used
across HTTP). Decoders validate that the traffic conforms to the protocol specification and provide support
for NAT traversal and opening dynamic pinholes for applications such as SIP and FTP.
For applications that are particularly evasive and cannot be identified through advanced signature and
protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
When the application is identified, the policy check determines how to treat the application, for example—
block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
Incomplete data—A handshake took place, but no data packets were sent prior to the timeout.
Insufficient data—A handshake took place followed by one or more data packets; however, not enough data
packets were exchanged to identify the application.
The following choices are available to handle unknown applications:
Create security policies to control unknown applications by unknown TCP, unknown UDP or by a
combination of source zone, destination zone, and IP addresses.
Request an App-ID from Palo Alto Networks—If you would like to inspect and control the applications that
traverse your network, for any unknown traffic, you can record a packet capture. If the packet capture reveals
that the application is a commercial application, you can submit this packet capture to Palo Alto Networks
for App-ID development. If it is an internal application, you can create a custom App-ID and/or define an
application override policy.
Create a Custom Application with a signature and attach it to a security policy, or create a custom application
and define an application override policy—A custom application allows you to customize the definition of
the internal application—its characteristics, category and sub-category, risk, port, timeout—and exercise
granular policy control in order to minimize the range of unidentified traffic on your network. Creating a
custom application also allows you to correctly identify the application in the ACC and traffic logs and is
useful in auditing/reporting on the applications on your network. For a custom application you can specify
a signature and a pattern that uniquely identifies the application and attach it to a security policy that allows
or denies the application.
Alternatively, if you would like the firewall to process the custom application using fast path (Layer-4
inspection instead of using App-ID for Layer-7 inspection), you can reference the custom application in an
application override policy rule. An application override with a custom application will prevent the session
from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to
handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing
time.
For example, if you build a custom application that triggers on a host header www.mywebsite.com, the packets
are first identified as web-browsing and then are matched as your custom application (whose parent application
is web-browsing). Because the parent application is web-browsing, the custom application is inspected at
Layer-7 and scanned for content and vulnerabilities.
If you define an application override, the firewall stops processing at Layer-4. The custom application name
is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.
Review new App-ID signatures introduced in a Applications and/or Threats content update. For each new
application signature introduced, you can preview the App-ID details, including a description of the application
identified by the App-ID, other existing App-IDs that the new signature is dependent on (such as SSL or
HTTP), and the category the application traffic received before the introduction of the new App-ID (for
example, an application might be classified as web-browsing traffic before a App-ID signature is introduced that
uniquely identifies the traffic). After reviewing the description and details for a new App-ID signature, review
the App-ID signature impact on existing policy enforcement. When new application signatures are introduced,
the newly-identified application traffic might no longer match to policies that previously enforced the
application. Reviewing the policy impact for new application signatures enables you to identify the policies that
will no longer enforce the application when the new App-ID is installed.
After downloading a new content release version, review the new App-IDs included in the content version and assess the
impact of the new App-IDs on existing policy rules:
Review New App-IDs Since Last Content Version
Review New App-ID Impact on Existing Policy Rules
Review New App-IDs Available Since the Last Installed Content Release Version
Step 1 Select Device > Dynamic Updates and select Check Now to refresh the list of available content updates.
Step 2 Download the latest Applications and Threats content update. When the content update is downloaded, an
Apps link will appear in the Features column for that content update.
Step 3 Click the Apps link in the Features column to view details on newly-identified applications:
A list of App-IDs shows all new App-IDs introduced from the content version installed on the firewall, to the selected
Content Version.
App-ID details that you can use to assess possible impact to policy enforcement include:
• Depends on—Lists the application signatures that this App-ID relies on to uniquely identify the application. If one of
the application signatures listed in the Depends On field is disabled, the dependent App-ID is also disabled.
• Previously Identified As—Lists the App-IDs that matched to the application before the new App-ID was installed to
uniquely identify the application.
• App-ID Enabled—All App-IDs display as enabled when a content release is downloaded, unless you choose to
manually disable the App-ID signature before installing the content update (see Disable or Enable App-IDs).
Multi-vsys firewalls display App-ID status as vsys-specific. This is because the status is not applied across virtual
systems and must be individually enabled or disabled for each virtual system. To view the App-ID status for a specific
virtual system, select Objects > Applications, select a Virtual System, and select the App-ID.
Add the new App-ID to existing policy rules, to allow the application traffic to continue to be enforced according to
your existing security requirements when the App-ID is installed.
In this example, to continue to allow adobe-cloud traffic when it is uniquely identified by the new App-ID, and no longer
identified as SSL traffic, add the new App-ID to the security policy rule Allow SSL App.
The policy rule updates take effect only when the application updates are installed.
Next Steps... • Disable or Enable App-IDs.
• Prepare Policy Updates For Pending App-IDs.
Disable new App-IDs included in a content release to immediately benefit from protection against the latest
threats while continuing to have the flexibility to later enable App-IDs after preparing necessary policy updates.
You can disable all App-IDs introduced in a content release, set scheduled content updates to automatically
disable new App-IDs, or disable App-IDs for specific applications.
Policy rules referencing App-IDs only match to and enforce traffic based on enabled App-IDs.
Certain App-IDs cannot be disabled and only allow a status of enabled. App-IDs that cannot be disabled
included some application signatures implicitly used by other App-IDs (such as unknown-tcp). Disabling a base
App-ID could cause App-IDs which depend on the base App-ID to also be disabled. For example, disabling
facebook-base will disable all other Facebook App-IDs.
Disable all App-IDs in a content release or for • To disable all new App-IDs introduced in a content release, select
scheduled content updates. Device > Dynamic Updates and Install an Application and
Threats content release. When prompted, select Disable new
apps in content update. Select the check box to disable apps and
continue installing the content update; this allows you to be
protected against threats, and gives you the option to enable the
apps at a later time.
• On the Device > Dynamic Updates page, select Schedule. Choose
to Disable new apps in content update for downloads and
installations of content releases.
Disable App-IDs for one application or multiple • To quickly disable a single application or multiple applications at
applications at a single time. the same time, click Objects > Applications. Select one or more
application check box and click Disable.
• To review details for a single application, and then disable the
App-ID for that application, select Objects > Applications and
Disable App-ID. You can use this step to disable both pending
App-IDs (where the content release including the App-ID is
downloaded to the firewall but not installed) or installed App-IDs.
Enable App-IDs. Enable App-IDs that you previously disabled by selecting Objects >
Applications. Select one or more application check box and click
Enable or open the details for a specific application and click Enable
App-ID.
You can now stage seamless policy updates for new App-IDs. Release versions prior to PAN-OS 7.0 required
you to install new App-IDs (as part of a content release) and then make necessary policy updates. This allowed
for a period during which the newly-identified application traffic was not enforced, either by existing rules (that
the traffic had matched to before being uniquely identified) or by rules that had yet to be created or modified
to use the new App-ID.
Pending App-IDs can now be added to policy rules to prevent gaps in policy enforcement that could occur during
the period between installing a content release and updating security policy. Pending App-IDs includes App-IDs
that have been manually disabled, or App-IDs that are downloaded to the firewall but not installed. Pending
App-IDs can be used to update policies both before and after installing a new content release. Though they can
be added to policy rules, pending App-IDs are not enforced until the App-IDs are both installed and enabled
on the firewall.
The names of App-IDs that have been manually disabled display as gray and italicized, to indicate the disabled
status:
App-IDs that are included in a downloaded content release version might have an App-ID status
of enabled, but App-IDs are not enforced until the corresponding content release version is
installed.
To install the content release version now and then update To update policies now and then install the content release
policies: version:
Do this to benefit from new threat signatures 1. Select Device > Dynamic Updates and Download the
immediately, while you review new application latest content release version.
signatures and update your policies. 2. Review the Impact of New App-ID Signatures on
1. Select Device > Dynamic Updates and Download the Existing Policy Rules to assess the policy impact of new
latest content release version. App-IDs.
2. Review the Impact of New App-ID Signatures on 3. While reviewing the policy impact for new App-IDs,
Existing Policy Rules to assess the policy impact of new you can use the Policy Review based on candidate
App-IDs. configuration to add a new App-ID to existing policy
rules: .
3. Install the latest content release version. Before the
content release is installed, you are prompted to 4. The new App-ID is added to the existing rules as a
Disable new apps in content update. Select the check disabled App-ID.
box and continue to install the content release. Threat 5. Continue to review the policy impact for all App-IDs
signatures included in the content release will be included in the latest content release version by
installed and effective, while new or updated App-IDs selecting App-IDs in the Applications drop-down.
are disabled. Add the new App-IDs to existing policies as needed.
4. Select Policies and update Security, QoS, and Policy Click OK to save your changes.
Based Forwarding rules to match to and enforce the 6. Install the latest content release version.
now uniquely identified application traffic, using the 7. Commit your changes to seamlessly update policy
pending App-IDs. enforcement for new App-IDs.
5. Select Objects > Applications and select one or
multiple disabled App-IDs and click Enable.
6. Commit your changes to seamlessly update policy
enforcement for new App-IDs.
An application group is an object that contains applications that you want to treat similarly in policy. Application
groups are useful for enabling access to applications that you explicitly sanction for use within your
organization. Grouping sanctioned applications simplifies administration of your rulebases.: instead of having
to update individual policy rules when there is a change in the applications you support, you can instead update
only the affected application groups.
When deciding how to group applications, consider how you plan to enforce access to your sanctioned
applications and create an application group that aligns with each of your policy goals. For example, you might
have some applications that you will only allow your IT administrators to access, and other applications that you
want to make available for any known user in your organization. In this case, you would create separate
application groups for each of these policy goals. Although you generally want to enable access to applications
on the default port only, you may want to group applications that are an exception to this and enforce access to
those applications in a separate rule.
Step 3 (Optional) Select Shared to create the object in a shared location for access as a shared object in Panorama or
for use across all virtual systems in a multiple virtual system firewall.
Step 4 Add the applications you want in the group and then click OK.
An application filter is an object that dynamically groups applications based on application attributes that you
define, including category, subcategory, technology, risk factor, and characteristic. This is useful when you want
to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to
access. For example, you may want to enable employees to choose their own office programs (such as Evernote,
Google Docs, or Microsoft Office 365) for business use. To safely enable these types of applications, you could
create an application filter that matches on the Category business-systems and the Subcategory office-programs.
As new applications office programs emerge and new App-IDs get created, these new applications will
automatically match the filter you defined; you will not have to make any additional changes to your policy
rulebase to safely enable any application that matches the attributes you defined for the filter.
Step 3 (Optional) Select Shared to create the object in a shared location for access as a shared object in Panorama or
for use across all virtual systems in a multiple virtual system firewall.
Step 4 Define the filter by selecting attribute values from the Category, Subcategory, Technology, Risk, and
Characteristic sections. As you select values, notice that the list of matching applications at the bottom of the
dialog narrows. When you have adjusted the filter attributes to match the types of applications you want to safely
enable, click OK.
To safely enable applications you must classify all traffic, across all ports, all the time. With App-ID, the only
applications that are typically classified as unknown traffic—tcp, udp or non-syn-tcp—in the ACC and the
Traffic logs are commercially available applications that have not yet been added to App-ID, internal or custom
applications on your network, or potential threats.
If you are seeing unknown traffic for a commercial application that does not yet have an App-ID,
you can submit a request for a new App-ID here:
http://researchcenter.paloaltonetworks.com/submit-an-application/.
To ensure that your internal custom applications do not show up as unknown traffic, create a custom
application. You can then exercise granular policy control over these applications in order to minimize the range
of unidentified traffic on your network, thereby reducing the attack surface. Creating a custom application also
allows you to correctly identify the application in the ACC and Traffic logs, which enables you to audit/report
on the applications on your network.
To create a custom application, you must define the application attributes: its characteristics, category and
sub-category, risk, port, timeout. In addition, you must define patterns or values that the firewall can use to
match to the traffic flows themselves (the signature). Finally, you can attach the custom application to a security
policy that allows or denies the application (or add it to an application group or match it to an application filter).
You can also create custom applications to identify ephemeral applications with topical interest, such as
ESPN3-Video for world cup soccer or March Madness.
In order to collect the right data to create a custom application signature, you'll need a good
understanding of packet captures and how datagrams are formed. If the signature is created too
broadly, you might inadvertently include other similar traffic; if it is defined too narrowly, the traffic
will evade detection if it does not strictly match the pattern.
Custom applications are stored in a separate database on the firewall and this database is not
impacted by the weekly App-ID updates.
The supported application protocol decoders that enable the firewall to detect applications that
may be tunneling inside of the protocol include the following as of content update 424: HTTP,
HTTPS, DNS, FTP, IMAP SMTP, Telnet, IRC (Internet Relay Chat), Oracle, RTMP, RTSP, SSH,
GNU-Debugger, GIOP (Global Inter-ORB Protocol), Microsoft RPC, Microsoft SMB (also known
as CIFS).
The following is a basic example of how to create a custom application.
Step 1 Gather information about the application • Capture application packets so that you can find unique
that you will be able to use to write characteristics about the application on which to base your custom
custom signatures. application signature. One way to do this is to run a protocol
analyzer, such as Wireshark, on the client system to capture the
To do this, you must have an
packets between the client and the server. Perform different
understanding of the application and how
actions in the application, such as uploading and downloading, so
you want to control access to it. For
that you will be able to locate each type of session in the resulting
example, you may want to limit what
packet captures (PCAPs).
operations users can perform within the
application (such as uploading, • Because the firewall by default takes packet captures for all
downloading, or live streaming). Or you unknown traffic, if the firewall is between the client and the server
may want to allow the application, but you can view the packet capture for the unknown traffic directly
enforce QoS policing. from the Traffic log.
• Use the packet captures to find patterns or values in the packet
contexts that you can use to create signatures that will uniquely
match the application traffic. For example, look for string patterns
in HTTP response or request headers, URI paths, or hostnames.
For information on the different string contexts you can use to
create application signatures and where you can find the
corresponding values in the packet, refer to Creating Custom
Threat Signatures.
Step 2 Add the custom application. 1. Select Objects > Applications and click Add.
2. On the Configuration tab, enter a Name and a Description for
the custom application that will help other administrators
understand why you created the application.
3. (Optional) Select Shared to create the object in a shared
location for access as a shared object in Panorama or for use
across all virtual systems in a multiple virtual system firewall.
4. Define the application Properties and Characteristics.
Step 3 Define details about the application, such On the Advanced tab, define settings that will allow the firewall to
as the underlying protocol, the port identify the application protocol:
number the application runs on, the • Specify the default ports or protocol that the application uses.
timeout values, and any types of scanning
you want to be able to perform on the • Specify the session timeout values. If you don’t specify timeout
traffic. values, the default timeout values will be used.
• Indicate any type of additional scanning you plan to perform on
the application traffic.
For example, to create a custom TCP-based application that runs
over SSL, but uses port 4443 (instead of the default port for SSL,
443), you would specify the port number. By adding the port number
for a custom application, you can create policy rules that use the
default port for the application rather than opening up additional
ports on the firewall. This improves your security posture.
Step 4 Define the criteria that the firewall will 1. On the Signatures tab, click Add and define a Signature Name
use to match the traffic to the new and optionally a Comment to provide information about how
application. you intend to use this signature.
You will use the information you gathered 2. Specify the Scope of the signature: whether it matches to a full
from the packet captures to specify Session or a single Transaction.
unique string context values that the 3. Specify conditions to define signatures by clicking Add And
firewall can use to match patterns in the Condition or Add Or Condition.
application traffic. 4. Select an Operator to define the type of match conditions you
will use: Pattern Match or Equal To.
• If you selected Pattern Match, select the Context and then
use a regular expression to define the Pattern to match the
selected context. Optionally, click Add to define a
qualifier/value pair. The Qualifier list is specific to the
Context you chose.
• If you selected Equal To, select the Context and then use a
regular expression to define the Position of the bytes in the
packet header to use match the selected context. Choose
from first-4bytes or second-4bytes. Define the 4-byte hex
value for the Mask (for example, 0xffffff00) and Value (for
example, 0xaabbccdd).
For example, if you are creating a custom application for one of
your internal applications, you could use the
ssl-rsp-certificate Context to define a pattern match for the
certificate response message of a SSL negotiation from the
server and create a Pattern to match the commonName of the
server in the message as shown here:
Step 5 Save the application. 1. Click OK to save the custom application definition.
2. Click Commit.
Step 6 Validate that traffic matches the custom 1. Select Policies > Security and Add a security policy rule to
application as expected. allow the new application.
2. Run the application from a client system that is between the
firewall and the application and then check the Traffic logs
(Monitor > Traffic) to make sure that you see traffic matching
the new application (and that it is being handled per your policy
rule).
360-safeguard-update http
apple-update http
apt-get http
as2 http
avg-update http
blokus rtmp
bugzilla http
clubcooee http
corba http
dropbox ssl
esignal http
ezhelp http
facebook-chat jabber
facebook-social-plugin http
forticlient-update http
google-desktop http
google-talk jabber
google-update http
gotomypc-desktop-sharing citrix-jedi
gotomypc-file-transfer citrix-jedi
gotomypc-printing citrix-jedi
hipchat http
infront http
java-update http
jepptech-updates http
kerberos rpc
mcafee-update http
megaupload http
metatrader http
mocha-rdp t_120
mount rpc
ms-frs msrpc
ms-rdp t_120
ms-scheduler msrpc
ms-service-controller msrpc
nfs rpc
paloalto-updates ssl
panos-global-protect http
panos-web-interface http
pastebin http
pastebin-posting http
portmapper rpc
rdp2tcp t_120
renren-im jabber
salesforce http
stumbleupon http
supremo http
symantec-av-update http
trendmicro http
twitter http
xm-radio rtsp
When the firewall serves as an ALG for the Session Initiation Protocol (SIP), by default it performs
NAT on the payload and opens dynamic pinholes for media ports. In some cases, depending on
the SIP applications in use in your environment, the SIP endpoints have NAT intelligence
embedded in their clients. In such cases, you might need to disable the SIP ALG functionality to
prevent the firewall from modifying the signaling sessions. When SIP ALG is disabled, if App-ID
determines that a session is SIP, the payload is not translated and dynamic pinholes are not
opened. See Disable the SIP Application-level Gateway (ALG).
The firewall provides IPv6-to-IPv6 Network Prefix Translation (NPTv6) ALG support for the following
protocols: FTP, Oracle, and RTSP. The SIP ALG is not supported for NPTv6 or NAT64.
Step 3 Select Customize... for ALG in the Options section of the Application dialog box.
Step 4 Select the Disable ALG check box in the Application - sip dialog box and click OK.
Step 5 Close the Application dialog box and Commit the change.