Professional Documents
Culture Documents
Application ID
Application ID
App-ID
• Application identification (App-ID) overview
• Using App-ID in a Security policy
• Identifying unknown application traffic
• Migrating to an App-ID-based Security policy
• Updating App-ID
EDU-210 Version A
PAN-OS® 9.0
Agenda
After you complete this module,
you should be able to:
Yes
Forward
INSPECTION Yes No ENFORCEMENT Traffic
Decrypt
Content-ID Policy? Security Profiles
Yes (Re-encrypt if decrypted)
Updating App-ID
What Is an Application?
• An application is a specific
program or feature whose Gmail
communication can be Google Hangouts
labeled, monitored, and
Google Calendar
controlled.
Microsoft SQL
Skype
BitTorrent
DNS
✔ DNS DNS
✔ DNS
Firewall Firewall
Port 53 Port 53
BitTorrent
✔ BitTorrent BitTorrent
✗
Packet on port 53: Allow DNS = DNS: Allow
Packet on port 53: Allow BitTorrent ≠ DNS: Deny
Visibility: Port 53 allowed Visibility: BitTorrent detected and
blocked
7 | © 2019 Palo Alto Networks, Inc.
Zero-Day Malware: IPS Versus App-ID
BitTorrent
✔ BitTorrent
✗ BitTorrent
✗
✗
Zero-day
✔
Zero-day Zero-day Zero-
C2 C2 ✔ day C2 C2
Application data
Example ACK
of an
GET
HTTP
web TCP Packet
request
D ata 11
t i on 1110 01
a 1 1
p plic 1000 0011
A 10 11
0
0 0 1 1000
0 1 Application data
0 10
1
Check
Y Known Check
Security Traffic Application
protocol Security
policy allowed? signature
decoder policy
(app=any)
Updating App-ID
Application Shifts
• Network traffic can shift from one application to another during a session.
http://login.microsoftonline.com
Joe Destination Port: TCP 80
1. HTTP GET = web-browsing
192.168.15.22 74.125.224.64
Zone: Inside Zone: Outside
2. Request specifically Office on Demand
facebook-base implicitly
allows web-browsing
and SSL
• Dynamic grouping of
applications
• Created by selecting
filters in the App-ID
database
• Used to simplify
Security, QoS, and
PBF policy rulebases
• Static, administrator-
defined sets of applications
Security Policy
Application Application
Policies > Security Filter Group
Application
Updating App-ID
Unknown Network Traffic
Check
ftp, smtp, web-
Identifiable by Traffic log
browsing
App-ID
etc.
Allowed
network traffic unknown-tcp
No unknown-udp
Unidentifiable HTTP
by App-ID detected?
Yes
web-browsing
Iterative process:
• Create rules to allow or block applications known to be traversing the firewall
• Create a temporary rule to detect unidentified applications traversing the firewall
• As applications are identified, create specific rules to allow or block them
unknown-tcp
unknown-udp
web-browsing
Updating App-ID
Policy Optimizer
Option 2 of 3:
• Firewall replaces port-
based rule with
application-based rule.
• Moves selected
applications to a new rule
• Lists and prompts for
required application
1. Select application(s).
dependencies
2. Click Add to Rule.
• Riskier method because
some required
applications could be
inadvertently missed.
• After 60 days, review the Policy Optimizer columns in the Security policy.
• Look for port-based rules with zero hits.
• Disable port-based rules that have not matched to any new traffic.
• Disabled rules are rendered in gray italic font.
• Tag rules that must be removed later (optional).
Updating App-ID
Dynamic Content Updates: App-ID
Palo Alto
Networks
new_app
Choices:
• Scheduled download
App-ID Monthly only
updates • Scheduled download
DB
and install
• Manual download and
new_app install
Click to schedule
updates.
If selected, new
application signatures
are disabled.
• Review Apps for list of modified applications and details for each application
• Review Policies to see policy rules that may enforce traffic differently
Device > Dynamic Updates
If necessary, modify
Used to for your environment.
determine risk
Based on
characteristics New data for
software as a
service
Q &&
A
50 | © 2019 Palo Alto Networks, Inc.
App-ID Lab (Pages 65-89 in the Lab Guide)
• Load a firewall lab configuration
• Create an application-based firewall rule
• Enable the Application Block Page
• View the Traffic log for application information