Module 8 - App ID Flashcards
What is an application
Specific program whose communication can be labeled, monitored and controlled
How are applications identified via a firewall?
Application signatures, decryption, protocol decoding and heuristics, unknown traffic
How does App-ID identify TCP traffic?
It will assign an application label like gmail-base.
How many labels will App-ID assign an application using TCP?
5
What are the 5?
Not-applicable, incomplete, insufficient-data, unknown-tcp, or unknown-p2p
What does not-applicable mean?
Security policy does not allow it, traffic discarded
What does incomplete mean?
3 way TCP handshake does not complete, or when handshake completes, but no data follows.
What does insufficient-data mean?
Not enough data is received in the payload to identify an application.
What does unknown-tcp mean?
3 way TCP handshake completes, and data is flowing, but App-ID cannot identify the app
What does unknown-p2p mean?
App-ID cannot match traffic to a specific application, but the traffic exhibits generic peer-to-peer behavior
How about UDP?
Often Palo Alto needs only the first packet to examine a single UDP packet to identify the app.
What are the three classifying UDP traffic
Not-applicable, unknown-udp or unknown-p2p
What is not-applicable
Firewall discards the traffic, security policy will not allow it
what is unknown-udp
App-ID cannot identify the app
What is known-p2p
App-ID cannot match the UDP traffic to a specific app
What happens if network traffic shifts from one application to another during a session?
App-ID cannot identify traffic from only a TCP SYN packet. Even after the three-way handshake, the firewall could report the traffic as insufficient-data UNLESS it detects HTTP GET, App-ID can initially report web-browsing, and further classify the traffic …. generic-app-base to generic-app-chat.
Are applications dependent on other applications?
Yes, network traffic can shift from one application to another during a session.
If applications shift to another during a session, how is a firewall supposed to pick that up?
Dependencies - ensure the firewall allows the other applications on which the application depends.
What is an example of a dependancy applicaiton?
Office on demand, depends on ms-office365-base, sharepoint applications, and ssl.
Do applications implicitly used parent groups, etc
Yes, if you search under object - applications, type in the application. It will say either depends on and implicitly uses:
What is an application group?
Unlike the dynamic list of applications in a filter, you can create an app group which is static, and can be added to multiple rules. Requires a commit.
What are application filters, how does that differ from application group?
An app filter is an object that dynamically groups applications based on app attribute that you select from the App-ID database.
What are the app filter selectable attributes?
Category, Subcategory, Risk, Tags and characterisitc
What are predefined and Custom application tags?
Palo Alto assigns one or more tags to applications in App-ID - as part of the normal Threats content updates
What is important to know about App-ID, what does it accomplish?
Reduces the attack surface. Only permitted apps are allowed to traverse the network.
The firewall has three methods for identifying unknown traffic - what are they?
unknown-udp, unknown-tcp, uknown-p2p, web browsing
How do we control unknown applications
- Block all 2. Use a packet capture to identify unique patterns in the app. Next create a custom app signature to match the bit pattern and name the new custom app. Creating a custom application. 3. Application Override policy rule
Traffic that is encrypted with SSL - does that use different ports when encrypted?
Yes, with encrypted ssl, traffic can use different secure ports instead of standard ports.
With PAN-OS 9.0, will policy rules allow applications on standard and secure ports with SSL?
Yes! The application-default setting has been extended to allow certain SSL-encrypted app’s on their defaul SSL secure ports.
What about non-standard ports?
Malicious traffic uses non-standard apps.
What is the app-default used for?
Blocks applications not running on standard ports. Under service tab
What are the three options for the service column?
Application-default, any, and select.
Can App-ID use signatures and decoders to identify applications in encrypted traffic?
No, but it relies on 2 things. 1 Common Name field in a cert (FQDN of the server or its IP) 2. TLS protocol extension named (multiple websites share an IP address)
Do all websites have their own FQDN and IP address?
No, it is not practical, many web servers host multiple websites. Therefore the CN field of a certificate cannot be used to identify the application, because many web-based applications share a FQDN and IP address.
What happens if the firewall cannot identify traffic using the CN field or the SNI field in the TLS handshake?
Traffic is identified as SSL
When migrating port based rules to App-ID based rules, what changes?
Add appropriate application based rules, it improves security posture to an existing legacy rules.
How many phases for bringing legacy port-based rules over to PAN-OS.
3
What happens in phase 2?
After 30 days of logging traffic for only port-based rules, you now begin to add application based rules
What happens in phase 1?
Policy Optimizer provides sorting option to help you prioritize rules
What happens in Phase 3?
Final cleanup - review traffic logs and security policy rules to determine if traffic is matching legacy port-based rules. You remove al legacy rules here.
Will content-ID work, if App-ID cannot identify the traffic?
No
What are the three traffic types that App-ID labels as uknown?
Malware, internally developed apps, or commercially available apps
Do App-ID and Content-ID depend on Content Updates?
Yes!
When is the earliest you can use new application signatures when downloading from Applications and threats?
Commit operation required
How about threat signatures, is a commit required?
No, ready immediately.
