Objects:
Interpret the application labels in logs and reports
Migrate from a port-based Security Policy to an application-based Security policy
Maintain an up-to-date App-ID implementation
App-ID identifies applications in traffic o bserved by the firewall.
Traffic enters the firewall, and is attempted to be identified it’s application signature. If the firewall has decryption of SSL enabled, it will try to decrypt it and attempt to identify the decrypted traffic again by it’s signature.
If the application can not be identified by it’s signature, a protocol decoder attempts to identify the application.
If the protocol decoder fails in it’s identification of the application, the traffics analysed using behavioral heuristics.
At this point, if the traffic can still not be identified. The application is listed as unknown traffic.
At any point the application is identified, it is compared against the Security/Decryption and what action is required to be taken. If the application is not identified the same process can occcur, just under the ‘unknown’ application tag.
The Palo Alto firewall can identy encrypted traffic under the SSL application by decrypting it. Once decrypted the Palo Alto firewall takes the same process as above of trying to identify the traffic using signatures, protocol decoders, and behavioral heuristrics.
Applications can also be identified in Encrypted SSL traffic. If a single website users a unique IP address, the CN in the certificate can be used to identify the website being accessed.
If multiple websites shared an IP address, the SNI field in TLS can be used to identify the website being accessed.
When creating security rules, application id’s should be implemented using a positive security model. This means to specify what to allow rather than what to block – similar to a whitelist.
Being a next generation firewall, the Palo Alto should be configured by block via application, rather than port numbers. Port numbers would be a more typical approach to security on a standard router or layer 3 switch.
Applications can be controlled on non-standard ports. Under the service tab of the security rule, selecting application-default only permits the applications to operate on their commonly known ports. This can be changed to ‘any’ which allows the application to operate on any port. An additional service can be created which allows the Palo Alto administrator to permit the application to be communicated with on ports that may be non standard.
Note that when an application is SSL encrypted, it may operate on a port that is different from the standard port that is commonly known when the application operates in plain text.
Following from Palo Alto OS 9.0, applications do contain two different fields that list applications with their Standard non-SSL ports, and another field that lists their secured ports.
Examples of these applications would be:
- web-browsing
- SMTP
- FTP
- LDAP
- IMAP
Application IDs can be identified in the logs, under the column Application in Monitor > Logs > Traffic.
Labeling of TCP traffic in the logs:
- not-applicable – Traffic dropped from policy before the traffic could be identified
- incomplete – Three-way handshake dd not complete or was followed by no data
- insufficent-data – Not enough payload of identification
- unknown-tcp – Unidentifiable TCP traffic
- unknown-p2p – Unidentifiable peer-to-peer traffic
Labeling of UDP traffic in the logs:
- not-applicable – Traffic dropped per polciy before application could be identified
- unknown-udp – Unidentifiable UDP traffic
- unknown-p2p – Unidentifiable peer-to-peer traffic
If allowed network traffic is unidentifiable by App-ID, it is examined to see if https is present. If https is present the applcation I.D. is set to SSL. If http is detected, the application I.D. is set to web-browsing. If http is not detected, the application i.d. is set to: unknown-tcp, unknown-udp or unknown-p2p. The traffic log can be examined for further details
Unknown applications can be controlled by blocking the three categories unknown-tcp, unknown-udp and unknown-p2p in a security policy. The application can be manually identified by creating a custom application with a custom signature in Objects -> Applications -> Add. Alternatively an application override policy can be created under Policies -> Application Override
Moving to a Palo Alto firewall, or an application based firewall can be done in a couple of methods. Using the greenfield method or the migration method.
The greenfield method involves putting the firewall in a logging state sitting between the legacy third party firewall and the internet. This can be done in VWire, L3 or TAP mode. The information logged can be used to create a suitable security policy on the firewall based on identified applications in the logs.
The Migration method has three phases.
Phase 1 is to migrate the legacy port based policy to a Palo Alto Networks firewall. The goals being to ensure a succesful cutover, with minimised user issues. In this state the firewall can capture application traffic.
Phase 2 consists of adding application based rules above corresponding port-based rules, reducing the attack surface and removing unknown applications as soon as possible.
Phase 3 consists of removing the old legacy port-based rules, completing the policy migration from a port-based firewall to an application one.
The priortisation of rules to migrate can be found in the policy optimiser, that gives clues to the most common port based ruels in use during a migration. Attention should be paid to the rules that utlise the most traffic with services and no applications defined. The policy optimiser also displays the numbers of applications seen attached to a rule and the number of days since an additional application has been observed. A hit count is present in the Rule Usage section of the Policy Optimiser, so that attention can be paid to the Rules with the most hits.
Policy Optimiser also has a section for Unused Applications, that will identify applications permitted in a security rule that have not been seen in some number of days. This can be useful in optimising rules where previous applications are no longer present
Application and Threat conent updates are pulled to the firewalls from https://updates.paloaltonetworks.com
The content updates for application signatures, including Protocol decoders and Protocol context create App-ID that allows the firewall to identify applications. These updates do not require a licence.
Threat signatures, which contain Threat Signatures along with protocol decoders and protocol contexts create Context-ID. The addition of the Threat Signatures are a licenced feature that require a licence on the Palo Alto firewall.
These two signature types are what the Palo Alto firewall depend on to maintain maximum protection on the network and should be scheduled to update regularly. If an outdated application i.d. can not identify the traffic, then the content i.d. can not inspect traffic for threats.
Two content update workflows are available based on the administrators priority for updating the firewall. If application uptime is the priority:
- Allow new App-IDs in Security Policy Rule
- Schedule download and install
- Review content release notes
- View new and modified App-IDs
- Review and update policies
- Commit the configuration
If security first is the chosen workflow:
- Schedule a download and install
- Review content release notes
- View new and modified App-IDs
- Review and update policies
- Commit the configuration
To not block new applications, create a security rule to permit new applications, adding a filter for the sub-category of the new application type you would like to permit. On the application filter ensure the checkbox: Apply to new App-IDs only is ticked.
To schedule the download and install of new applications, see the Dynamic Updates section under Device. Set the schedule to update as requested.
Release notes for the application I.D.’s can be selected on the same page under the Documentation column as well as new and modified applications since the last installed update.
Updates do not need to be scheduled, but can be manually downloaded and installed from the Dynamic Updates page.
The impact of the downloaded application ids can be checked once downloaded against the existing security policy.
Leave a Reply