Palo Alto Networks Knowledgebase: PBF based on application

PBF based on application

3944
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:48 PM
Policy
Symptom

Can I use any pre-defined application or custom applications with PBF ?



Resolution

For a PBF policy to work, only the source zone or interface is required:

 

pbf source.png

 

In the destination, applications can be configured but only pre-defined applications can be added.

Custom applications, Application filters and Application Groups cannot be used to create a PBF policy:

 

 

PBF.png

 

 

Furthermore, as mentioned in the Admin Guide, application-specific rules are not recommended for use with PBF:

 

PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.

 

However, if you specify an application in a PBF rule, the firewall performs App-ID caching . When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.
 
Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter.

 

Observation:

- The list of available applications does not include the full list of applications, because the identification of some applications require more packets to be captured.

You can check the list of available applications under Policies > Policy Based Forwarding > Destination/Application/Services:

applications.jpg



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language