PaloAlto Ignite 2012 notes: App-ID

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.


– The below flowchart depicts the life of a session. At each subsequent stage, more information is gathered regarding the session for further granularity in the policy enforcement.

Best Practices in deploying APP-ID rules

  • Review the ACC and catalog existing apps in your network. Decide whether to allow or deny these apps.
  • The ACC and app-browser together will help in deciding which applications to allow /deny
  • When creating rules, use the “application-default” as a service object in allow rules
  • Use the “any” service object only in deny rules

– Application Dependencies: may dictate that more than one application needs to be allowed in rulesets. For example, “facebook” depends on “web-browsing”

– Application Override: Equivalent to port based rules, no signatures required. Application overrides depend on fixed ports, so are very static by nature. Overrides bypass all content-ID and threat scannings. This improves latency slightly, but with the caveat of less protection.

– App ID updates are done weekly, every tuesday. Check the “previously detected as” to effectively update security policy

– Best practice dictates using application filters since they are dynamic and automatically get updated

– Two variables in App ID content updates:

  • Schedules : schedule during non-business hours
  • Thresholds: amont of time APP ID signature has already been in use for

Building Custom App IDs

– This involves writing custom signatures. Content-ID (threat prevention) still apply to these signatures, unlike application overrides.

– Custom APP-IDs leverage:

  • Protocol decoders (eg HTTP decoder)
  • contexts (eg GET / POST)
  • patterns (regex expressions)

– Configured via: Objects > App Browser > Add

– APP ID rules are triggered if any custom signatures match (or any other logical conditions that exist between signature patterns)

– Custom signatures have a minimum 7-byte limit (to limit the amount of false positives)

– Custom signatures have a minimal performance impact due to the Palo Alto SP3 architecture that implements parallel searches. However, depending on how the signature is written, a small amount of memory and CPU cycles are consumed.


One thought on “PaloAlto Ignite 2012 notes: App-ID

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.