Manage Custom or Unknown Applications
Palo Alto Networks provides weekly application updates
to identify new App-ID signatures. By default, App-ID is always
enabled on the firewall, and you don't need to enable a series of
signatures to identify well-known applications. Typically, the only
applications that are classified as unknown traffic—tcp, udp or
non-syn-tcp—in the ACC and the traffic logs are commercially available
applications that have not yet been added to App-ID, internal or custom
applications on your network, or potential threats.
On occasion, the firewall may report an application as unknown
for the following reasons:
Incomplete data—A handshake took place, but no data packets
were sent prior to the timeout.
Insufficient data—A handshake took place followed by one
or more data packets; however, not enough data packets were exchanged
to identify the application.
The following choices are available to handle unknown applications:
Create security policies to control unknown applications
by unknown TCP, unknown UDP or by a combination of source zone,
destination zone, and IP addresses.
Request an App-ID from Palo Alto Networks—If you would like
to inspect and control the applications that traverse your network,
for any unknown traffic, you can record a packet capture. If the
packet capture reveals that the application is a commercial application,
you can submit this packet capture to Palo Alto Networks for App-ID
development. If it is an internal application, you can create a
custom App-ID and/or define an application override policy.
Create a Custom Application with a signature
and attach it to a security policy, or create a custom application
and define a
custom timeout. Avoid
creating
Application Override policies
because they bypass layer 7 application processing and threat inspection,
and use less secure stateful layer 4 inspection instead. Instead,
use custom timeouts so that you can control and inspect the application
traffic at layer 7.
A custom application allows you to customize
the definition of the internal application—its characteristics, category
and sub-category, risk, port, and timeout—and to exercise granular
policy control and help eliminate unidentified traffic on your network.
Creating a custom application also allows you to correctly identify
the application in the ACC and traffic logs,
and is useful in auditing/reporting on the applications on your
network. To create a custom application, specify a signature and
a pattern that uniquely identifies the application and attach it
to a Security policy rule that allows or denies the application.
For
example, if you build a custom application that triggers on a host
header
www.mywebsite.com, the packets are first identified
as
web-browsing and then are matched as your custom
application (whose parent application is web-browsing). Because
the parent application is web-browsing, the custom application is
inspected at Layer-7 and scanned for content and vulnerabilities.