Threat Protection and Advance Threat Protection scanning is bypassed when Custom App IDs are configured for Unknown Traffic
11367
Created On 09/28/23 20:51 PM - Last Modified 10/02/23 19:37 PM
Symptom
The Firewalls are impacted if:
- Custom App-ID is configured to identify unknown traffic (unknown-req-tcp-payload, unknown-rsp-tcp-payload, unknown-req-udp-payload, unknown-rsp-udp-payload)
- AND
- “Continue scanning for other applications” setting is enabled in the Custom App-ID, OR “Vulnerability Protection” profile is attached to the Security Policy to allow traffic identified with these Custom App-IDs.
Environment
- Palo Alto Firewalls.
- PAN-OS 9.1 and higher.
- Custom App-ID
- Vulnerability Protection
Cause
How do I know if I am impacted?
- Step 1: Go to Panorama or FW UI and look for Custom App-IDs using Unknown Traffic (GUI: Objects > Applications > Use dropdown button to select "Custom Applications".
- Click on the Application to check for "Context". The example below shows a Custom Application configured with unknown-udp payload context for the defined signature.
- Step2: Check if the setting "Continue scanning for other Applications" is enabled.
Step3: Check if the Vulnerability Profile is attached to the Security Policy rule that allows Custom App-ID
If Step 1 is TRUE, and either Step2 or Step3 is TRUE then the firewall is impacted by the Fix. Continue reading to learn how to prepare for the fix.
Resolution
How to prepare for the fix?
Review all Custom App-IDs to see if they meet the conditions mentioned above. Use one of the options below to prepare.
- Option 1 (Recommended): Test Custom App-ID traffic in the lab:
- Capture traffic that is identified with this Custom App-ID, detailed here.
- Replay the pcap in a lab environment on a FW without the Custom App-ID.
- If the traffic is identified as unknown-tcp or unknown-udp, then there should be no impact (after installing the Content Update, this traffic will continue to be identified with your Custom App-ID).
- If the traffic is identified with another App-ID, then add this new App-ID into the Security Policy rule to allow this traffic.
- Option 2: Use Application Filters
- This option is good for customers who confidently understand their Custom App-ID traffic, for example, the category and sub-category it fits into.
- Create an Application Filter for the Category and Sub-Category of Applications that the Custom App-ID fits into. For example, if the Custom App-ID traffic is related to OT/ICS protocols, use the App-ID Filter that will select all App-IDs from the “ics-protocols” subcategory.
- Next, attach this Filter to the Security policy rule with the action “Allow” and place it at the bottom of your Policy rule set.
- Update the Applications & Threats (Content).
- In a few days after installing the Content Update, review the rule usage statistics in Policy Optimizer. If the traffic is identified with another App-ID, then add this new App-ID into the Security Policy rule to allow this traffic.
- Remove the Application Filter, when done.
Please ensure to apply the fix before Applications & Threat (Content) update scheduled on October 17, 2023
Additional Information
Frequently Asked Questions
Q: What is Custom App-ID?
Custom App-ID is a feature that enables you to define your internal custom applications to App-ID Platform so they do not show up as unknown traffic.
Q: What is the “Continue scanning for other Applications” setting in Custom App-ID?
This setting instructs the firewall to continue to try to match against other application signatures. If you do not select this option, the firewall stops looking for additional application matches after the first matching signature. Learn more about Applications and settings here.
Q: Is it limited to certain PAN-OS versions?
A: No, this change will be delivered to all currently supported PAN-OS versions.
Q: Are SSL/HTTP based applications impacted?
No, only Custom App-IDs for unknown-tcp or unknown-udp traffic are impacted.