PaloAlto Ignite 2012 notes: App-ID

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.

APP-ID

– The below flowchart depicts the life of a session. At each subsequent stage, more information is gathered regarding the session for further granularity in the policy enforcement.

Best Practices in deploying APP-ID rules

  • Review the ACC and catalog existing apps in your network. Decide whether to allow or deny these apps.
  • The ACC and app-browser together will help in deciding which applications to allow /deny
  • When creating rules, use the “application-default” as a service object in allow rules
  • Use the “any” service object only in deny rules

– Application Dependencies: may dictate that more than one application needs to be allowed in rulesets. For example, “facebook” depends on “web-browsing”

– Application Override: Equivalent to port based rules, no signatures required. Application overrides depend on fixed ports, so are very static by nature. Overrides bypass all content-ID and threat scannings. This improves latency slightly, but with the caveat of less protection.

  • App ID updates are done weekly, every tuesday. Check the “previously detected as” to effectively update security policy
  • Best practice dictates using application filters since they are dynamic and automatically get updated
  • Two variables in App ID content updates:
  • Schedules : schedule during non-business hours
  • Thresholds: amont of time APP ID signature has already been in use for

Building Custom App IDs

  • This involves writing custom signatures. Content-ID (threat prevention) still apply to these signatures, unlike application overrides.
  • Custom APP-IDs leverage:
  • Protocol decoders (eg HTTP decoder)
  • contexts (eg GET / POST)
  • patterns (regex expressions)
  • Configured via: Objects > App Browser > Add
  • APP ID rules are triggered if any custom signatures match (or any other logical conditions that exist between signature patterns)
  • Custom signatures have a minimum 7-byte limit (to limit the amount of false positives)
  • Custom signatures have a minimal performance impact due to the Palo Alto SP3 architecture that implements parallel searches. However, depending on how the signature is written, a small amount of memory and CPU cycles are consumed.