Application not being identified correctly (wechat-file-transfer is being identified as wechat-base)

1881

Created On 06/06/23 08:09 AM - Last Modified 10/31/25 18:20 PM

Traffic Log

Content Update

App-ID

Content Release

9.1

10.2

10.1

PAN-OS

Next-Generation Firewall

Symptom

- Whenever wechat file transfer is initiated, the firewall is unable to properly identify it as such.

- Firewall may see it as:

wechat-base
unknown-tcp
unknown-udp

- In some other cases the firewall is able to correctly identify the traffic as 'wechat-file-transfer'

Environment

Palo Alto Firewall
PAN-OS 9.1 and above

Cause

In normal circumstances, wechat file transfer should go via tcp/443. In this case, the firewall is able to properly detect it as wechat-file-transfer (even without decryption).

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
21516 wechat-file-transfer ACTIVE FLOW NS 192.168.1.2[52151]/L3-Trust/6 (10.46.41.251[31203])
vsys1 43.130.194.20[443]/L3-Untrust (43.130.194.20[443])
25189 wechat-base ACTIVE FLOW NS 192.168.1.2[52273]/L3-Trust/6 (10.46.41.251[25109])
vsys1 101.32.104.41[80]/L3-Untrust (101.32.104.41[80])

However, it can try to evade detection by going via udp/8000 (also using a different protocol). To see this clearly we would need to monitor existing sessions and note down the new sessions that appear whenever file transfer is initiated.

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
25189 wechat-base ACTIVE FLOW NS 192.168.1.2[52273]/L3-Trust/6 (10.46.41.251[25109])
vsys1 101.32.104.41[80]/L3-Untrust (101.32.104.41[80])

Below are 3 new sessions that appeared after file transfer had been initiated.

25209 wechat-base ACTIVE FLOW NS 192.168.1.2[52274]/L3-Trust/6 (10.46.41.251[39079])
vsys1 43.130.30.240[443]/L3-Untrust (43.130.30.240[443])
25210 wechat-base ACTIVE FLOW NS 192.168.1.2[52275]/L3-Trust/6 (10.46.41.251[51689])
vsys1 129.226.3.47[80]/L3-Untrust (129.226.3.47[80])
25338 unknown-udp ACTIVE FLOW NS 192.168.1.2[64814]/L3-Trust/17 (10.46.41.251[19116])
vsys1 43.130.194.15[8000]/L3-Untrust (43.130.194.15[8000])

Now we see an unknown-udp traffic appear that could only be coming from the file transfer. When looking out for new sessions, pay particular attention for new unknown-udp and unknown-tcp sessions.

Resolution

The solution in this case is to block the unknown-udp (udp/8000) traffic in the firewall. This way the we-chat app would resort to using tcp/443 for file transfer and the firewall would be able to correctly identify it as such.

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
21516 wechat-file-transfer ACTIVE FLOW NS 192.168.1.2[52151]/L3-Trust/6 (10.46.41.251[31203])

Additional Information