How much data is necessary to recognize an application

How much data is necessary to recognize an application

44428
Created On 09/25/18 17:42 PM - Last Modified 02/08/22 21:53 PM


Resolution


In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.

 

To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.

 

Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake).

In most cases, the application will be recognized before receiving that amount of data.

 

If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."

Additional Information


If it is imperative to block the data in the first packet after the 3-way-handshake, a custom application can be created.  When adding the Signature, set the Operator as "Pattern Match" and the Context as "pre-app-req-data".  Create a Security Policy "Deny" rule with this Custom Application and place it above your existing Allow rules.  On the 4th packet (1st data packet after the TCP handshake), if the signature is matched, the application will be identified and the session will be denied by this policy.

Note: Palo Alto Networks TAC cannot assist in creating custom signatures.  Professional Services can help with this.  Contact your sales engineer for more information.

Screenshot 2022-02-07 181252.png
TDC
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language