Documente Academic
Documente Profesional
Documente Cultură
Contact Information
Corporate Headquarters:
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.
App-ID
To safely enable applications on your network, the Palo Alto Networks next-generation firewalls provide both
an application and web perspectiveApp-ID and URL Filteringto protect against a full spectrum of legal,
regulatory, productivity, and resource utilization risks.
App-ID enables visibility into the applications on the network, so you can learn how they work and understand
their behavioral characteristics and their relative risk. This application knowledge allows you to create and
enforce security policy rules to enable, inspect, and shape desired applications and block unwanted applications.
When you define policy rules to allow traffic, App-ID begins to classify traffic without any additional
configuration.
App-ID Overview
App-ID Overview
App-ID
App-ID Overview
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines what
an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the
application. It applies multiple classification mechanismsapplication signatures, application protocol
decoding, and heuristicsto your network traffic stream to accurately identify applications.
Here's how App-ID identifies applications traversing your network:
Signatures are then applied to allowed traffic to identify the application based on unique application
properties and related transaction characteristics. The signature also determines if the application is being
used on its default port or it is using a non-standard port. If the traffic is allowed by policy, the traffic is then
scanned for threats and further analyzed for identifying the application more granularly.
If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in place, the
session is decrypted and application signatures are applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional context-based signatures to detect other
applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger used
across HTTP). Decoders validate that the traffic conforms to the protocol specification and provide support
for NAT traversal and opening dynamic pinholes for applications such as SIP and FTP.
For applications that are particularly evasive and cannot be identified through advanced signature and
protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
When the application is identified, the policy check determines how to treat the application, for example
block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
App-ID
Incomplete dataA handshake took place, but no data packets were sent prior to the timeout.
Insufficient dataA handshake took place followed by one or more data packets; however, not enough data
packets were exchanged to identify the application.
Create security policies to control unknown applications by unknown TCP, unknown UDP or by a
combination of source zone, destination zone, and IP addresses.
Request an App-ID from Palo Alto NetworksIf you would like to inspect and control the applications that
traverse your network, for any unknown traffic, you can record a packet capture. If the packet capture reveals
that the application is a commercial application, you can submit this packet capture to Palo Alto Networks
for App-ID development. If it is an internal application, you can create a custom App-ID and/or define an
application override policy.
Create a Custom Application with a signature and attach it to a security policy, or create a custom application
and define an application override policyA custom application allows you to customize the definition of
the internal applicationits characteristics, category and sub-category, risk, port, timeoutand exercise
granular policy control in order to minimize the range of unidentified traffic on your network. Creating a
custom application also allows you to correctly identify the application in the ACC and traffic logs and is
useful in auditing/reporting on the applications on your network. For a custom application you can specify
a signature and a pattern that uniquely identifies the application and attach it to a security policy that allows
or denies the application.
Alternatively, if you would like the firewall to process the custom application using fast path (Layer-4
inspection instead of using App-ID for Layer-7 inspection), you can reference the custom application in an
application override policy rule. An application override with a custom application will prevent the session
from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to
handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing
time.
For example, if you build a custom application that triggers on a host header www.mywebsite.com, the packets
are first identified as web-browsing and then are matched as your custom application (whose parent application
is web-browsing). Because the parent application is web-browsing, the custom application is inspected at
Layer-7 and scanned for content and vulnerabilities.
If you define an application override, the firewall stops processing at Layer-4. The custom application name
is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.
App-ID
App-ID
App-ID
App-ID
Step 1
Select Device > Dynamic Updates and select Check Now to refresh the list of available content updates.
Step 2
Download the latest Applications and Threats content update. When the content update is downloaded, an
Apps link will appear in the Features column for that content update.
Step 3
Click the Apps link in the Features column to view details on newly-identified applications:
A list of App-IDs shows all new App-IDs introduced from the content version installed on the firewall, to the selected
Content Version.
App-ID details that you can use to assess possible impact to policy enforcement include:
Depends onLists the application signatures that this App-ID relies on to uniquely identify the application. If one of
the application signatures listed in the Depends On field is disabled, the dependent App-ID is also disabled.
Previously Identified AsLists the App-IDs that matched to the application before the new App-ID was installed to
uniquely identify the application.
App-ID EnabledAll App-IDs display as enabled when a content release is downloaded, unless you choose to
manually disable the App-ID signature before installing the content update (see Disable or Enable App-IDs).
Multi-vsys firewalls display App-ID status as vsys-specific. This is because the status is not applied across virtual
systems and must be individually enabled or disabled for each virtual system. To view the App-ID status for a specific
virtual system, select Objects > Applications, select a Virtual System, and select the App-ID.
Next Steps...
App-ID
Step 1
Step 2
You can review the policy impact of new content release versions that are downloaded to the firewall. Download
a new content release version, and click the Review Policies in the Action column. The Policy review based
on candidate configuration dialog allows you to filter by Content Version and view App-IDs introduced in a
specific release (you can also filter the policy impact of new App-IDs according to Rulebase and Virtual
System).
Step 3
Select a new App-ID from the Application drop-down to view policy rules that currently enforce the
application. The rules displayed are based on the applications signatures that match to the application before
the new App-ID is installed (view application details to see the list of application signatures that an application
was Previously Identified As before the new App-ID).
Step 4
Use the detail provided in the policy review to plan policy rule updates to take effect when the App-ID is
installed and enabled to uniquely identify the application.
You can continue to Prepare Policy Updates For Pending App-IDs, or you can directly add the new App-ID to policy
rules that the application was previously matched to by continuing to use the policy review dialog.
In the following example, the new App-ID adobe-cloud is introduced in a content release. Adobe-cloud traffic is currently
identified as SSL and web-browsing traffic. Policy rules configured to enforce SSL or web-browsing traffic are listed to
show what policy rules will be affected when the new App-ID is installed. In this example, the rule Allow SSL App
currently enforces SSL traffic. To continue to allow adobe-cloud traffic when it is uniquely identified, and no longer
identified as SSL traffic.
Add
the new App-ID to existing policy rules, to allow the application traffic to continue to be enforced according to
your existing security requirements when the App-ID is installed.
In this example, to continue to allow adobe-cloud traffic when it is uniquely identified by the new App-ID, and no longer
identified as SSL traffic, add the new App-ID to the security policy rule Allow SSL App.
The policy rule updates take effect only when the application updates are installed.
Disable or Enable App-IDs.
Next Steps...
App-ID
Enable App-IDs.
App-ID
App-IDs that are included in a downloaded content release version might have an App-ID status
of enabled, but App-IDs are not enforced until the corresponding content release version is
installed.
App-ID
1.
2.
3.
4.
5.
6.
2.
3.
4.
5.
6.
7.
App-ID
Step 1
Step 2
Step 3
(Optional) Select Shared to create the object in a shared location for access as a shared object in Panorama or
for use across all virtual systems in a multiple virtual system firewall.
Step 4
Add the applications you want in the group and then click OK.
Step 5
App-ID
Step 1
Step 2
Step 3
(Optional) Select Shared to create the object in a shared location for access as a shared object in Panorama or
for use across all virtual systems in a multiple virtual system firewall.
Step 4
Define the filter by selecting attribute values from the Category, Subcategory, Technology, Risk, and
Characteristic sections. As you select values, notice that the list of matching applications at the bottom of the
dialog narrows. When you have adjusted the filter attributes to match the types of applications you want to safely
enable, click OK.
Step 5
App-ID
To ensure that your internal custom applications do not show up as unknown traffic, create a custom
application. You can then exercise granular policy control over these applications in order to minimize the range
of unidentified traffic on your network, thereby reducing the attack surface. Creating a custom application also
allows you to correctly identify the application in the ACC and Traffic logs, which enables you to audit/report
on the applications on your network.
To create a custom application, you must define the application attributes: its characteristics, category and
sub-category, risk, port, timeout. In addition, you must define patterns or values that the firewall can use to
match to the traffic flows themselves (the signature). Finally, you can attach the custom application to a security
policy that allows or denies the application (or add it to an application group or match it to an application filter).
You can also create custom applications to identify ephemeral applications with topical interest, such as
ESPN3-Video for world cup soccer or March Madness.
In order to collect the right data to create a custom application signature, you'll need a good
understanding of packet captures and how datagrams are formed. If the signature is created too
broadly, you might inadvertently include other similar traffic; if it is defined too narrowly, the traffic
will evade detection if it does not strictly match the pattern.
Custom applications are stored in a separate database on the firewall and this database is not
impacted by the weekly App-ID updates.
The supported application protocol decoders that enable the firewall to detect applications that
may be tunneling inside of the protocol include the following as of content update 424: HTTP,
HTTPS, DNS, FTP, IMAP SMTP, Telnet, IRC (Internet Relay Chat), Oracle, RTMP, RTSP, SSH,
GNU-Debugger, GIOP (Global Inter-ORB Protocol), Microsoft RPC, Microsoft SMB (also known
as CIFS).
App-ID
Step 1
Gather information about the application Capture application packets so that you can find unique
that you will be able to use to write
characteristics about the application on which to base your custom
custom signatures.
application signature. One way to do this is to run a protocol
analyzer, such as Wireshark, on the client system to capture the
To do this, you must have an
packets between the client and the server. Perform different
understanding of the application and how
actions in the application, such as uploading and downloading, so
you want to control access to it. For
that you will be able to locate each type of session in the resulting
example, you may want to limit what
packet captures (PCAPs).
operations users can perform within the
Because the firewall by default takes packet captures for all
application (such as uploading,
unknown traffic, if the firewall is between the client and the server
downloading, or live streaming). Or you
you can view the packet capture for the unknown traffic directly
may want to allow the application, but
from the Traffic log.
enforce QoS policing.
Use the packet captures to find patterns or values in the packet
contexts that you can use to create signatures that will uniquely
match the application traffic. For example, look for string patterns
in HTTP response or request headers, URI paths, or hostnames.
For information on the different string contexts you can use to
create application signatures and where you can find the
corresponding values in the packet, refer to Creating Custom
Threat Signatures.
Step 2
1.
2.
3.
4.
App-ID
Step 3
On the Advanced tab, define settings that will allow the firewall to
identify the application protocol:
Specify the default ports or protocol that the application uses.
Specify the session timeout values. If you dont specify timeout
values, the default timeout values will be used.
Indicate any type of additional scanning you plan to perform on
the application traffic.
For example, to create a custom TCP-based application that runs
over SSL, but uses port 4443 (instead of the default port for SSL,
443), you would specify the port number. By adding the port number
for a custom application, you can create policy rules that use the
default port for the application rather than opening up additional
ports on the firewall. This improves your security posture.
App-ID
Step 4
1.
5.
6.
7.
App-ID
Step 5
1.
2.
Step 6
1.
2.
App-ID
Implicitly Supports
360-safeguard-update
http
apple-update
http
apt-get
http
as2
http
avg-update
http
avira-antivir-update
http, ssl
blokus
rtmp
bugzilla
http
clubcooee
http
corba
http
cubby
http, ssl
dropbox
ssl
esignal
http
evernote
http, ssl
ezhelp
http
http, ssl
facebook-chat
jabber
facebook-social-plugin
http
fastviewer
http, ssl
forticlient-update
http
good-for-enterprise
http, ssl
google-cloud-print
google-desktop
http
App-ID
Application
Implicitly Supports
google-talk
jabber
google-update
http
gotomypc-desktop-sharing
citrix-jedi
gotomypc-file-transfer
citrix-jedi
gotomypc-printing
citrix-jedi
hipchat
http
iheartradio
infront
http
http, ssl
issuu
http, ssl
java-update
http
jepptech-updates
http
kerberos
rpc
kik
http, ssl
lastpass
http, ssl
logmein
http, ssl
mcafee-update
http
megaupload
http
metatrader
http
mocha-rdp
t_120
mount
rpc
ms-frs
msrpc
ms-rdp
t_120
ms-scheduler
msrpc
ms-service-controller
msrpc
nfs
rpc
oovoo
http, ssl
paloalto-updates
ssl
panos-global-protect
http
panos-web-interface
http
pastebin
http
pastebin-posting
http
App-ID
Application
Implicitly Supports
http, ssl
portmapper
rpc
prezi
http, ssl
rdp2tcp
t_120
renren-im
jabber
roboform
http, ssl
salesforce
http
stumbleupon
http
supremo
http
symantec-av-update
http
trendmicro
http
trillian
http, ssl
http
http, ssl
xm-radio
rtsp
App-ID
The firewall provides IPv6-to-IPv6 Network Prefix Translation (NPTv6) ALG support for the following
protocols: FTP, Oracle, and RTSP. The SIP ALG is not supported for NPTv6 or NAT64.
App-ID
Step 1
Step 2
Step 3
Select Customize... for ALG in the Options section of the Application dialog box.
Step 4
Select the Disable ALG check box in the Application - sip dialog box and click OK.
Step 5
App-ID