Application Identity

See everything in one go the whole layer-->10 of thousands of pounds cost.

Introduction - Next-Generation Firewall  Next-Generation Firewall: App-ID

App-ID

>>App-ID reduces the attack surface

What Is an Application?

application program -->communication can be labelled, monitored and controlled

.. delivered through a web browser, a client server model or a decentralized peer to peer design

What Is App ID?

Applications and application functions are identified via multiple techniques, including

  • application signatures
  • decryption (if needed)
  • protocol decoding
  • heuristics

 

App-ID Application Identification

Traditional firewalls use port blocking to control traffic. To allow a service such as DNS that uses port 53, the

The Palo Alto Networks next generation firewall is configured to allow the DNS service. If you configure the

Looks at signature layer 7.

Zero Day Malware: IPS Versus App ID

Not know 0 day is allowed but the Palo Alto Networks firewall is configured to allow only DNS application traffic.

App-ID and TCP

hand shake hello, SYN SYN,ACK and then ACK then maybe a GET request which is a web based application so this can be identified. To start with not enough information. 

Classifying (Labelling) TCP Traffic

not-applicable--> incomplete ---> insufficient-data  --> unknown-tcp unknown-p2p

App-ID and UDP

A Palo Alto Networks firewall examining UDP packets often must examine only a single UDP packet to identify the application.

Classifying (Labelling) UDP Traffic

not-applicable--> unknown-udp unknown-p2p

Port-Based Versus Next Generation Firewalls ???

 

>>App-ID concepts and operation

Application Shifts

Network traffic can shift from one application to another during a session.

Application Dependencies

Some applications are dependent on one or more other applications. Also, network traffic can shift from one

 

View Application Dependencies Before Modifying a Rule

Objects>Applications

View Unresolved Dependencies Reported After a Commit

A commit determines if application dependencies in any rule are satisfied by any rule.

Implicit Applications

Many common applications implicitly allow parent applications.

Determine Implicitly Used Applications

Objects>Applications


>>Configure App-ID objects

Application Groups

Objects > Application Groups > Add

Static, admin-defined sets of apps

defined set of applications.... application groups enable you to create a logical grouping of applications that can
be applied to Security and QoS policy rules. Does not change needs updating

Application Filters

This is dynamic gp of apps

Objects> Application Filter > Add

 

Nested Application Groups and Filters

An application group is manually configured to include applications, application filters, and other applications groups. The diagram illustrates the possible ways that application groups and filters can be nested.

Predefined and Custom Application Tags

Objects > Applications

App ID in Policy Rules Reduces the Attack Surface

Policies> Security

Implement App ID using a positive enforcement model:
Specify what to allow rather than what to block.
Implement policy by application rather than by port:
Specify applications, application groups, application filters.

Application Block Page

Device> Response Pages

View Applications used in the Traffic Log

Monitor>Logs > Traffic


>>Unknown and encrypted application traffic

Differentiating Between Known and Unknown Applications

Applications can be divided into two main categories: applications known to App-ID and applications unknown to App ID.

Control Unknown Applications

dfddffffffffffffffffffffffffffffffffff

Control Applications on SSL-Secure Ports

Standard Ports

Secure Ports

Control Applications on Non-Standard Ports

Policies >Security

Objects> Applications

Identify Applications in Decrypted SSL Traffic

•SSL encrypts application layer data.
•The firewall can identify and decrypt SSL traffic.
•App ID identifies applications in decrypted SSL traffic:
•>>>Uses signatures, decoders, behavioural heuristics
>>Migrating to an App-ID based Security Policy

Policy Optimizer

Policies > Security > Policy Optimizer > No App Specified

Moving to Application Based Policies

 

Phase 1: Migrate Port-Based Rules

Phase 2: Discover Applications Matching a Port-Based Rule

Policies > Security > Policy Optimizer > No App Specified

Phase 2: Clone a Port-Based Rule Using “Create Cloned Rule”

..Create Cloned Rule 

Phase 2: Replace a Port-Based Rule Using “Add to This Rule”

Phase 2: Replace a Port-Based Rule Using “Add to Existing Rule”

Phase 2: Replace a Port-Based Rule Using “Match Usage”

Prioritize Port-Based Rules to Convert

Phase 3: Review Port-Based Rules

Phase 3: Disable Port-Based Rules

Phase 3: Remove Port-Based Rules


>>Updating App-ID

App-ID and Content ID Depend on Content Updates

Schedule Download and Install

Review Content Update Release Notes

1.Which three methods does App ID use to identify network traffic? (Choose three.)
a.signatures
b.protocol decoders
c.heuristics
d.URL category
e.application filter match
2.How would App ID label TCP traffic when the three way handshake completes, but not enough data is sent to identify an application?
a.not applicable
b.incomplete
c.insufficient data
d.unknown tcp
3.True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.
a.true
b.false
4. True or false? If App ID cannot identify the traffic, Content ID cannot inspect the traffic for malware.
a.true
b.false
5. When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies?
a.after clicking Check Now
b.after download
c.after install
d.after commit

 

1. When creating an application filter, which of the following is true?

They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter

They are used by malware

They are called dynamic because they automatically adapt to new IP addresses

Excessive bandwidth may be used as a filter match criteria

2. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.

False

3. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?

One 

Four or five

Two 

Three 

4. What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?

Application-default

Application-custom

Application-implicit

Application-dependent

5. What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?

Applications Report

Quality of Service Log

Quality of Service Statistics

Application Command Center (ACC)

6. What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)?

Blocked Activity

Application Traffic

Threat Activity

Network Traffic

7. How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?

not-applicable

insufficient-data 

unknown-tcp

incomplete

8. When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies?

a. after install NO

b. after clicking Check Now  NO

c. after commit

d. after download

9. Which three methods does App-ID use to identify network traffic?

signatures

protocol decoders

application filter match NO

heuristics 

URL category  NO

partially correct. correctly selected 2.

10. When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.

True 

11. If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.

True 

Comments