Palo Alto EDU-114: Blocking Threats Using Custom Applications

  • Use logs to discover unknown traffic
  • List methods to control unknown traffic
  • Perform a packet capture using the web interface
  • Create a custom application with a custom signature
  • Manage custom applications
  • Create a custom application without a custom signature
  • Configure an Application Override policy

Applications are not always identified

Some applications can not be uniquely identified. Such as commercial or internally developed software.

These fall under a generic classification, such as unknown-tcp, unknown-udp, unknown-p2p, web-browsing or ssl.

Custom applications offer more granular control and reporting abilities to work in the Palo Alto firewall.

Controlling application traffic

There are different types of control application traffic on the Palo Alto firewall:

Commercial application known to App-ID can be used in Security Policy to permit or deny.

A commercial applciation unknown to App-ID can be submitted to Palo Alto networks to have a new signature created for the application to be used in security policies.

Additionally, a custom application can be created with a signature on the Palo Alto device that can be used as an application in the security policy.

Finally, a custom application can be created without a signature, using the application in application override feature.

With an internal application, your choices are limited to creating a custom application with a signature, to be used in Security Policy, or creating a custom application without a signature to be used as an application in application override.

Creating a custom application

To create an application with a signature, application traffic needs to be captured and unique bit patterns identified. The custom application can be created with signature and then applied in the security policy rules.

Automatic Packet Captures

The Palo Alto firewall randomly captures traffic that has been identified as unknown by the App ID database.

These logs can be downloaded within the Monitor -> Logs -> Traffic section of the firewall, clicking the green arrow next to the maginifying glass with export the file that can be re-imported into a Network Analyser such as wireshark

To verify that unknown traffic is being captured, the CLI command below can be ran on the firewall to check:

show running application setting | match "Unknown capture"

If the setting is not toggled to on or off, it can be changed with the following command, followed with a commit

set deviceconfig setting application dump-unknown <yes/no>

Manual Packet Captures

The Palo Alto firewall can carry out manual packet captures on the data plane, although it must be noted that an active packet capture may impact firewall performance. The Palo Alto firewall has limited analysis abilities built into it’s web interface.

The Palo Alto firewall can also capture traffic on the control plane, though this is limited to troubleshooting operational issues rather than troubleshooting application identification.

A packet capture to a network analyser offers more benefits over a packet capture to the local Palo Alto. Firewall performance is not impacted and much greater analysing abilities are available to an application dedicated to the task.

Capturing packets on the data plane can be filtered to a number of differnet options, such as:

  • Ingress Interface
  • Source IP address
  • Destination IP address
  • Source Port number
  • Destination Port number
  • Protocol Number
  • Non-IP
  • IPv6

Packets can also be captured at different stages as they progress through the Palo Alto firewall.

  • recieve stage – Captures pre-session packets when they are received on the data plane. Packets will have a pre-NAT address
  • drop stage – Captures packets dropped by the data plane for whatever reason
  • firewall stage – Captures packets matched to a session and processed by the firewall
  • transmit stage – Captures packets matched to a session and trasmitted by the data plane. Captured packets here will have a post NAT address

To take a data plane capture, go to monitor and select the option ‘Packet Capture’

Custom Application Creation

Custom applications can be created under the Objects -> Applications section of the Palo Alto

Once added, the application can be added under the security policy of the firewall.

For applications without a signature, application override can be used.







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.