See everything in one go the whole layer-->10 of thousands of pounds cost.
Introduction - Next-Generation Firewall Next-Generation Firewall: App-ID
>>App-ID reduces the attack surface
What Is an Application?
application program -->communication can be labelled, monitored and controlled
.. delivered through a web browser, a client server model or a decentralized peer to peer design
What Is App ID?
Applications and application functions are identified via multiple techniques, including
- application signatures
- decryption (if needed)
- protocol decoding
- heuristics
App-ID Application Identification
Traditional firewalls use port blocking to control traffic. To allow a service such as DNS that uses port 53, the
The Palo Alto Networks next generation firewall is configured to allow the DNS service. If you configure the
Looks at signature layer 7.
Zero Day Malware: IPS Versus App ID
Not know 0 day is allowed but the Palo Alto Networks firewall is configured to allow only DNS application traffic.
App-ID and TCP
hand shake hello, SYN SYN,ACK and then ACK then maybe a GET request which is a web based application so this can be identified. To start with not enough information.
Classifying (Labelling) TCP Traffic
not-applicable--> incomplete ---> insufficient-data --> unknown-tcp unknown-p2p
App-ID and UDP
A Palo Alto Networks firewall examining UDP packets often must examine only a single UDP packet to identify the application.
Classifying (Labelling) UDP Traffic
not-applicable--> unknown-udp unknown-p2p
Port-Based Versus Next Generation Firewalls ???
>>App-ID concepts and operation
Application Shifts
Network traffic can shift from one application to another during a session.
Application Dependencies
Some applications are dependent on one or more other applications. Also, network traffic can shift from one
View Application Dependencies Before Modifying a Rule
Objects>Applications
View Unresolved Dependencies Reported After a Commit
A commit determines if application dependencies in any rule are satisfied by any rule.
Implicit Applications
Many common applications implicitly allow parent applications.
Determine Implicitly Used Applications
Objects>Applications
>>Configure App-ID objects
Application Groups
Objects > Application Groups > Add
Static, admin-defined sets of apps
defined set of applications.... application groups enable you to create a logical grouping of applications that can
be applied to Security and QoS policy rules. Does not change needs updating
Application Filters
This is dynamic gp of apps
Objects> Application Filter > Add
Nested Application Groups and Filters
An application group is manually configured to include applications, application filters, and other applications groups. The diagram illustrates the possible ways that application groups and filters can be nested.
Predefined and Custom Application Tags
Objects > Applications
App ID in Policy Rules Reduces the Attack Surface
Policies> Security
Implement App ID using a positive enforcement model:
Specify what to allow rather than what to block.
Implement policy by application rather than by port:
Specify applications, application groups, application filters.
Application Block Page
Device> Response Pages
View Applications used in the Traffic Log
Monitor>Logs > Traffic
>>Unknown and encrypted application traffic
Differentiating Between Known and Unknown Applications
Applications can be divided into two main categories: applications known to App-ID and applications unknown to App ID.
Control Unknown Applications
dfddffffffffffffffffffffffffffffffffff
Control Applications on SSL-Secure Ports
Standard Ports
Secure Ports
Control Applications on Non-Standard Ports
Policies >Security
Objects> Applications
Identify Applications in Decrypted SSL Traffic
•SSL encrypts application layer data.
•The firewall can identify and decrypt SSL traffic.
•App ID identifies applications in decrypted SSL traffic:
•>>>Uses signatures, decoders, behavioural heuristics
>>Migrating to an App-ID based Security Policy
Policy Optimizer
Policies > Security > Policy Optimizer > No App Specified
Moving to Application Based Policies
Phase 1: Migrate Port-Based Rules
Phase 2: Discover Applications Matching a Port-Based Rule
Policies > Security > Policy Optimizer > No App Specified
Phase 2: Clone a Port-Based Rule Using “Create Cloned Rule”
..Create Cloned Rule
Phase 2: Replace a Port-Based Rule Using “Add to This Rule”
Phase 2: Replace a Port-Based Rule Using “Add to Existing Rule”
Phase 2: Replace a Port-Based Rule Using “Match Usage”
Prioritize Port-Based Rules to Convert
Phase 3: Review Port-Based Rules
Phase 3: Disable Port-Based Rules
Phase 3: Remove Port-Based Rules
>>Updating App-ID
App-ID and Content ID Depend on Content Updates
Schedule Download and Install
Review Content Update Release Notes
1.Which three methods does App ID use to identify network traffic? (Choose three.)
a.signatures
b.protocol decoders
c.heuristics
d.URL category
e.application filter match
2.How would App ID label TCP traffic when the three way handshake completes, but not enough data is sent to identify an application?
a.not applicable
b.incomplete
c.insufficient data
d.unknown tcp
3.True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.
a.true
b.false
4. True or false? If App ID cannot identify the traffic, Content ID cannot inspect the traffic for malware.
a.true
b.false
5. When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies?
a.after clicking Check Now
b.after download
c.after install
d.after commit
1. When creating an application filter, which of the following is true?
They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter
They are used by malware
They are called dynamic because they automatically adapt to new IP addresses
Excessive bandwidth may be used as a filter match criteria
2. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.
False
3. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
One
Four or five
Two
Three
4. What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?
Application-default
Application-custom
Application-implicit
Application-dependent
5. What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?
Applications Report
Quality of Service Log
Quality of Service Statistics
Application Command Center (ACC)
6. What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)?
Blocked Activity
Application Traffic
Threat Activity
Network Traffic
7. How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?
not-applicable
insufficient-data
unknown-tcp
incomplete
8. When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies?
a. after install NO
b. after clicking Check Now NO
c. after commit
d. after download
9. Which three methods does App-ID use to identify network traffic?
signatures
protocol decoders
application filter match NO
heuristics
URL category NO
partially correct. correctly selected 2.
10. When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.
True
11. If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.
True
- Log in to post comments
Comments