Defining Applications
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Defining Applications
Select ObjectsApplications to Add a
new custom application for the firewall to evaluate when applying
policies.
New Application Settings | Description |
|---|---|
Configuration Tab | |
Name | Enter the application name (up to 31 characters).
This name appears in the applications list when defining security
policies. The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, periods, hyphens, and underscores. The
first character must be a letter. |
Shared | Select this option if you want the application
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this application object in device
groups that inherit the object. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the object. |
Description | Enter a description of the application for
general reference (up to 255 characters). |
Category | Select the application category, such as email or database. The
category is used to generate the Top Ten Application Categories chart
and is available for filtering (refer to ACC). |
Subcategory | Select the application subcategory, such
as email or database. The
subcategory is used to generate the Top Ten Application Categories
chart and is available for filtering (refer to ACC). |
Technology | Select the technology for the application.
By default, the Technology column is not displayed. Show
Technology Column to select technologies to add to your
application filter. |
Parent App | Specify a parent application for this application.
This setting applies when a session matches both the parent and
the custom applications; however, the custom application is reported
because it is more specific. |
Risk | Select the risk level associated with this
application (1=lowest to 5=highest). |
Characteristics | Select the application characteristics that
may place the application at risk. For a description of each characteristic,
refer to Characteristics. |
Advanced Tab | |
Port | If the protocol used by the application
is TCP and/or UDP, select Port and enter
one or more combinations of the protocol and port number (one entry
per line). The general format is: where
the <port> is a single port number, or dynamic for
dynamic port assignment. Examples: TCP/dynamic or UDP/32. This
setting applies when using app-default in
the Service column of a Security rule. |
IP Protocol | To specify an IP protocol other than TCP
or UDP, select IP Protocol, and enter the
protocol number (1 to 255). |
ICMP Type | To specify an Internet Control Message Protocol
version 4 (ICMP) type, select ICMP Type and
enter the type number (range is 0-255). |
ICMP6 Type | To specify an Internet Control Message Protocol
version 6 (ICMPv6) type, select ICMP6 Type and
enter the type number (range is 0-255). |
None | To specify signatures independent of protocol,
select None. |
Timeout | Enter the number of seconds before an idle
application flow is terminated (range is 0-604800 seconds). A zero
indicates that the default timeout of the application will be used.
This value is used for protocols other than TCP and UDP in all cases
and for TCP and UDP timeouts when the TCP timeout and UDP timeout
are not specified. |
TCP Timeout | Enter the number of seconds before an idle
TCP application flow is terminated (range is 0-604800 seconds).
A zero indicates that the default timeout of the application will
be used. |
UDP Timeout | Enter the number of seconds before an idle
UDP application flow is terminated (range is 0-604800 seconds).
A zero indicates that the default timeout of the application will
be used. |
TCP Half Closed | Enter the maximum length of time that a
session remains in the session table, between receiving the first
FIN and receiving the second FIN or RST. If the timer expires, the
session is closed. Default: If this timer is not configured
at the application level, the global setting is used (range is 1-604800
seconds). If this value is configured at the application level,
it overrides the global TCP Half Closed setting. |
TCP Time Wait | Enter the maximum length of time that a
session remains in the session table after receiving the second
FIN or a RST. If the timer expires, the session is closed. Default:
If this timer is not configured at the application level, the global
setting is used (range is 1-600 seconds). If this value is
configured at the application level, it overrides the global TCP
Time Wait setting. |
Scanning | Select the scanning types that you want
to allow based on Security Profiles (file types, data patterns,
and viruses). |
Signatures Tab | |
Signatures | Click Add to add
a new signature, and specify the following information:
Specify
the conditions that identify the signature. These conditions are
used to generate the signature that the firewall uses to match the
application patterns and control traffic:
To
move a condition within a group, select the condition and Move
Up or Move Down. To move a group,
select the group and Move Up or Move Down.
You cannot move conditions from one group to another. |
It is not required to specify signatures for the application
if the application is used only for application override rules.