Getting Started: Custom applications and app override
What more can my firewall do? Custom applications and app override!
Depending on your environment, you may have custom-created, proprietary applications or traffic you simply want to identify by a custom name. You may be running a web service that's normally identified by the Palo Alto Networks firewall as web-browsing, making it harder for you to create reporting, or you may want to apply QoS to a specific set of connections that use a common App-ID.
To get around these issues, you can create custom App-IDs that match a certain signature in the traffic or use application override to simply force certain sessions to be identified as an application you configure.
A signature-based custom app relies on the App-ID engine to positively identify a signature in the packets passing through the firewall. If you are trying to identify a proprietary application that uses predictable or easily identifiable signatures, you can create a custom application using regex to help identify the signature.
Example: I have a web service running internally on the URL www.example.com. Since this is a regular website, the firewall will identify it with the 'web-browsing' App-ID.
Signature-based custom App-ID
When we take a closer look at a packet capture from the traffic heading to the server, an identifiable signature can be the hostname.
To create a custom app, head over to the applications and create a new application. Set the Application properties and if applicable, set the Parent App: the Parent App is used when the traffic is currently already being identified as an application. This will help App-ID properly report the custom app. In case of a proprietary application that is currently not identified by App-ID, the Parent App can be left as 'none.'
In the Advanced tab, you can set the ports or protocol this application will be using and also if this application can be scanned for threats. There are, however, a few caveats that are important to consider:
- If the custom application has scanning options unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.
- If the custom app does not have a parent app that can be identified by regular App-ID or is used in an app override (see below), it cannot be scanned for threats.
In the signatures tab, you can add all the signatures required to identify the application. The App-ID engine can be instructed to look for potential signatures in a single transaction (a single packet from client to server or server to client) or in the entire session (a signature or signatures could be spread over several packets in either direction). There are plenty of options available on where to look for signatures and in which context. Multiple signature sets can also be added in an 'AND' or 'OR' condition.
If all this seems a little confusing, don't worry--I've added several helpful articles at the end that will explain more in-depth what can be achieved with custom signatures. For now, we'll keep it simple and look for a signature in the http request host header:
My signature will simply be the host name in regex friendly format. This means there needs to be a backward slash in front of the dot to signify the dot is a character and not a wildcard. I'll also set the Qualifier to http-method GET to indicate the signature can be found in the GET request.
Once this custom application is committed, the firewall will start identifying all connections to my web server as the new application:
We can now create reports based on the custom application and monitor specifically what kind of traffic is hitting our site.
The above steps will work perfectly if the application can be easily identified, but sometimes it may not be necessary or even possible to look into a datastream and identify a certain signature.
Application override forcibly bypasses the AppID process and sets a session to match a manually configured Application name. Any sessions processed like this will not be scanned by parallel processing and will be offloaded to fastpath.
For most use cases, we recommend creating a simple custom application with as few attributes as possible, as the app override will bypass scanning or signature detection. It will simply identify a session as the custom application and take no further action. This can be a very simple but powerful tool to help identify internal applications and improve throughput as the session is offloaded to hardware immediately, but please consider the security implications.
If you're wondering what else you can do with custom apps or signature-based detection, please take a look at the following articles that show you more ways to leverage signatures to identify applications or block types of traffic.
I hope you liked this article; feel free to leave a comment below.
If you want to see more of these, please check out the landing page of the Getting Started series!
Till next time,