PaloAlto Ignite 2012 notes: App-ID
This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.
– The below flowchart depicts the life of a session. At each subsequent stage, more information is gathered regarding the session for further granularity in the policy enforcement.
Best Practices in deploying APP-ID rules
- Review the ACC and catalog existing apps in your network. Decide whether to allow or deny these apps.
- The ACC and app-browser together will help in deciding which applications to allow /deny
- When creating rules, use the “application-default” as a service object in allow rules
- Use the “any” service object only in deny rules
– Application Dependencies: may dictate that more than one application needs to be allowed in rulesets. For example, “facebook” depends on “web-browsing”
– Application Override: Equivalent to port based rules, no signatures required. Application overrides depend on fixed ports, so are very static by nature. Overrides bypass all content-ID and threat scannings. This improves latency slightly, but with the caveat of less protection.
- App ID updates are done weekly, every tuesday. Check the “previously detected as” to effectively update security policy
- Best practice dictates using application filters since they are dynamic and automatically get updated
- Two variables in App ID content updates:
- Schedules : schedule during non-business hours
- Thresholds: amont of time APP ID signature has already been in use for
Building Custom App IDs
- This involves writing custom signatures. Content-ID (threat prevention) still apply to these signatures, unlike application overrides.
- Custom APP-IDs leverage:
- Protocol decoders (eg HTTP decoder)
- contexts (eg GET / POST)
- patterns (regex expressions)
- Configured via: Objects > App Browser > Add
- APP ID rules are triggered if any custom signatures match (or any other logical conditions that exist between signature patterns)
- Custom signatures have a minimum 7-byte limit (to limit the amount of false positives)
- Custom signatures have a minimal performance impact due to the Palo Alto SP3 architecture that implements parallel searches. However, depending on how the signature is written, a small amount of memory and CPU cycles are consumed.