Salesforce

How much data is necessary to recognize an application

Printable View
« Go Back

Information

 
TitleHow much data is necessary to recognize an application
URL NameHow-much-data-is-necessary-to-recognize-an-application
SummaryThis article details the necessary amount of data for the NGFW to determine an application
Validation StatusValidated - External
Publication StatusPublished
Symptom
Environment
Cause
Resolution

In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.

 

To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.

 

Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake).

In most cases, the application will be recognized before receiving that amount of data.

 

If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."

Additional Information
If it is imperative to block the data in the first packet after the 3-way-handshake, a custom application can be created.  When adding the Signature, set the Operator as "Pattern Match" and the Context as "pre-app-req-data".  Create a Security Policy "Deny" rule with this Custom Application and place it above your existing Allow rules.  On the 4th packet (1st data packet after the TCP handshake), if the signature is matched, the application will be identified and the session will be denied by this policy.

Note: Palo Alto Networks TAC cannot assist in creating custom signatures.  Professional Services can help with this.  Contact your sales engineer for more information.

Screenshot 2022-02-07 181252.png
TDC
Legacy ID66238
Legacy Urlhttp://live.paloaltonetworks.com:80/t5/Configuration-Articles/How-much-data-is-necessary-to-recognize-an-application/ta-p/66238
Auto Assistant Signature
Powered by