Module 8 - App ID

Question 2

What is an application

Answer 2

Specific program whose communication can be labeled, monitored and controlled

Question 3

How are applications identified via a firewall?

Answer 3

Application signatures, decryption, protocol decoding and heuristics, unknown traffic

Question 4

How does App-ID identify TCP traffic?

Answer 4

It will assign an application label like gmail-base.

Question 5

How many labels will App-ID assign an application using TCP?

Answer 5

5

Question 6

What are the 5?

Answer 6

Not-applicable, incomplete, insufficient-data, unknown-tcp, or unknown-p2p

Question 7

What does not-applicable mean?

Answer 7

Security policy does not allow it, traffic discarded

Question 8

What does incomplete mean?

Answer 8

3 way TCP handshake does not complete, or when handshake completes, but no data follows.

Question 9

What does insufficient-data mean?

Answer 9

Not enough data is received in the payload to identify an application.

Question 10

What does unknown-tcp mean?

Answer 10

3 way TCP handshake completes, and data is flowing, but App-ID cannot identify the app

Question 11

What does unknown-p2p mean?

Answer 11

App-ID cannot match traffic to a specific application, but the traffic exhibits generic peer-to-peer behavior

Question 12

How about UDP?

Answer 12

Often Palo Alto needs only the first packet to examine a single UDP packet to identify the app.

Question 13

What are the three classifying UDP traffic

Answer 13

Not-applicable, unknown-udp or unknown-p2p

Question 14

What is not-applicable

Answer 14

Firewall discards the traffic, security policy will not allow it

Question 15

what is unknown-udp

Answer 15

App-ID cannot identify the app

Question 16

What is known-p2p

Answer 16

App-ID cannot match the UDP traffic to a specific app

Question 17

What happens if network traffic shifts from one application to another during a session?

Answer 17

App-ID cannot identify traffic from only a TCP SYN packet. Even after the three-way handshake, the firewall could report the traffic as insufficient-data UNLESS it detects HTTP GET, App-ID can initially report web-browsing, and further classify the traffic …. generic-app-base to generic-app-chat.

Question 18

Are applications dependent on other applications?

Answer 18

Yes, network traffic can shift from one application to another during a session.

Question 19

If applications shift to another during a session, how is a firewall supposed to pick that up?

Answer 19

Dependencies - ensure the firewall allows the other applications on which the application depends.

Question 20

What is an example of a dependancy applicaiton?

Answer 20

Office on demand, depends on ms-office365-base, sharepoint applications, and ssl.

Question 21

Do applications implicitly used parent groups, etc

Answer 21

Yes, if you search under object - applications, type in the application. It will say either depends on and implicitly uses:

Question 22

What is an application group?

Answer 22

Unlike the dynamic list of applications in a filter, you can create an app group which is static, and can be added to multiple rules. Requires a commit.

Question 23

What are application filters, how does that differ from application group?

Answer 23

An app filter is an object that dynamically groups applications based on app attribute that you select from the App-ID database.

Question 24

What are the app filter selectable attributes?

Answer 24

Category, Subcategory, Risk, Tags and characterisitc

Question 25

What are predefined and Custom application tags?

Answer 25

Palo Alto assigns one or more tags to applications in App-ID - as part of the normal Threats content updates

Question 26

What is important to know about App-ID, what does it accomplish?

Answer 26

Reduces the attack surface. Only permitted apps are allowed to traverse the network.

Question 27

The firewall has three methods for identifying unknown traffic - what are they?

Answer 27

unknown-udp, unknown-tcp, uknown-p2p, web browsing

Question 28

How do we control unknown applications

Answer 28

1. Block all 2. Use a packet capture to identify unique patterns in the app. Next create a custom app signature to match the bit pattern and name the new custom app. Creating a custom application. 3. Application Override policy rule

Question 29

Traffic that is encrypted with SSL - does that use different ports when encrypted?

Answer 29

Yes, with encrypted ssl, traffic can use different secure ports instead of standard ports.

Question 30

With PAN-OS 9.0, will policy rules allow applications on standard and secure ports with SSL?

Answer 30

Yes! The application-default setting has been extended to allow certain SSL-encrypted app’s on their defaul SSL secure ports.

Question 31

What about non-standard ports?

Answer 31

Malicious traffic uses non-standard apps.

Question 32

What is the app-default used for?

Answer 32

Blocks applications not running on standard ports. Under service tab

Question 33

What are the three options for the service column?

Answer 33

Application-default, any, and select.

Question 34

Can App-ID use signatures and decoders to identify applications in encrypted traffic?

Answer 34

No, but it relies on 2 things. 1 Common Name field in a cert (FQDN of the server or its IP) 2. TLS protocol extension named (multiple websites share an IP address)

Question 35

Do all websites have their own FQDN and IP address?

Answer 35

No, it is not practical, many web servers host multiple websites. Therefore the CN field of a certificate cannot be used to identify the application, because many web-based applications share a FQDN and IP address.

Question 36

What happens if the firewall cannot identify traffic using the CN field or the SNI field in the TLS handshake?

Answer 36

Traffic is identified as SSL

Question 37

When migrating port based rules to App-ID based rules, what changes?

Answer 37

Add appropriate application based rules, it improves security posture to an existing legacy rules.

Question 38

How many phases for bringing legacy port-based rules over to PAN-OS.

Answer 38

3

Question 39

What happens in phase 2?

Answer 39

After 30 days of logging traffic for only port-based rules, you now begin to add application based rules

Question 40

What happens in phase 1?

Answer 40

Policy Optimizer provides sorting option to help you prioritize rules

Question 41

What happens in Phase 3?

Answer 41

Final cleanup - review traffic logs and security policy rules to determine if traffic is matching legacy port-based rules. You remove al legacy rules here.

Question 42

Will content-ID work, if App-ID cannot identify the traffic?

Answer 42

No

Question 43

What are the three traffic types that App-ID labels as uknown?

Answer 43

Malware, internally developed apps, or commercially available apps

Question 44

Do App-ID and Content-ID depend on Content Updates?

Answer 44

Yes!

Question 45

When is the earliest you can use new application signatures when downloading from Applications and threats?

Answer 45

Commit operation required

Question 46

How about threat signatures, is a commit required?

Answer 46

No, ready immediately.