Create a Custom Application Signature

1. Research the application using packet capture and/or analyzer tools.
   • You should understand how you’d like to control the application before all else. Do you want to limit application functionality? Create a usage report? You’ll want to examine the contents of packet captures to gather context and identify unique characteristics of the application.

     Consider using a tool such as Wireshark or perform a packet capture on the firewall itself Take a Packet Capture for Unknown Applications.
   1. Perform multiple packet captures between the client system and web server.
      Generate traffic for various application scenarios once you have launched the capture tool. For example, if you wanted to create a signature for ‘uploading’ on uploading.com, you would upload a file on that site.

      Multiple sessions might be created for the different actions performed in the application. You will need to locate and inspect each type of session in the resulting packet captures.
   2. Inspect packet captures for values or patterns that uniquely identify the application or application function.
      For example, after you uploaded a file to uploading.com, you would look for HTTP POST request packets in the sessions captured by your packet analyzer tool. Then, you would examine the packet contents for patterns.

2. Create the custom application.
   1. Select ObjectsApplications and click Add.
   2. Under Configuration, enter a name and optional description for the application. Specify the application’s Properties and Characteristics.
      • If your custom application has no Parent App that can be identified by regular App-ID or is used in an application override, the application cannot be scanned for threats.
      • If the custom application has scanning options unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.

   3. Under Advanced, define settings that will allow the firewall to identify the application protocol:
      • Specify the default ports or protocol that the application uses. To specify signatures independent of protocol, select None.
      • Specify the session timeout values. If you don’t specify timeout values, the default timeout values will be used.
      • Indicate any type of additional scanning you plan to perform on the application traffic.

3. Define your signature.
   Multiple signatures may be necessary to account for all traffic specific to the application.
   1. Under Signatures, click Add and enter a Signature Name and optional description.
   2. Specify the Scope—Select between Transaction (e.g. HTTP request and response) or Session (e.g. a single POST request).
   3. Specify the matching conditions by clicking Add And Condition or Add Or Condition.
   4. Select an Operator to define the conditions that must be true for a signature to match traffic.
      • If you select Pattern Match, select a Context and then use a regular expression to specify the Pattern. Optionally, Add a qualifier/value pair.

      • Qualifiers are context-dependent and limit the match condition for the given context. For example, you might use the http-method qualifier to specify that a http-req-uri-path only matters if it is found inside an HTTP GET method.

      • If you select Equal To, Less Than, or Greater Than, select an integer Context, and enter a Value.
   5. Repeat sub-steps 3 and 4 for each matching condition.
      If you leave Ordered Condition Match selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click Move Up or Move Down.

      You cannot move conditions from one group to another.
4. Save the custom signature.
   1. Click OK to save your signature definition.
   2. Commit your signature.
5. Test your custom signature.