PCNSE - APP-ID to Block Threats
Review Policies
Installation of new application signatures included in a content update sometimes can cause a change in policy enforcement for the application that now is identified differently. To review policy details, browse to Device > Dynamic Updates. After you download and install a new content release with new and updated application signatures, click Review Policies to review their policy impact. During a policy review, application signatures are compared against policy rules in the candidate configuration.
How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?
Insufficient Data
Application-Uptime and Security-First
Intro: Identify your organization as having either an application-uptime or a security-first priority. Your choice of either an application-uptime or a security-first priority will determine the content update workflow that you use and the configuration choices you make. Application-Uptime: An application-uptime environment prioritizes application availability over protection that uses the latest threat signatures. Your network has zero tolerance for application downtime. Your primary concern is that a change to application signatures in a content release could cause downtime. Security-First: A security-first environment prioritizes protection using the latest threat signatures over application availability. Your primary concern is maintaining the latest threat prevention and not that a change to application signatures could cause some downtime.
True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.
True
True or false? In Palo Alto Networks terms, an application is a specific program or feature that can be detected, monitored, and blocked if necessary.
True
True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.
True
Discover Unused Applications
Use policy optimizer to identify unused apps. Policy Optimizer>Unused apps
(Policy Review Parameters)Application
Use the Application field to select the application to compare against your policies.
Content Version
Use the Content Version field to compare different content updates to the candidate policies.
What triggers Security policy rule match in the Policy Optimizer's No App Specified window?
'any' in the application column
Three(3) methods available for processing traffic identified only as: unknown-tcp unknown-udp unknown-p2p web-browsing
- Control unknown applications by blocking unknown-tcp, unknown-udp, or unknown-p2p traffic in the Security policy. - Create a custom application rather than block unknown traffic. - Create an Application Override policy rule.
App-ID and UDP
A Palo Alto Networks firewall examining UDP packets often must examine only a single UDP packet to identify the application. In most cases, all the information that the firewall needs is contained in the first packet.
'Add to Existing Rule'
Adds another security policy rule that can be picked from list.
Review New and Updated Application Details
After you download a content update, a Review Apps link appears in the web interface. To review application details, browse to Device > Dynamic Updates. Click Review Apps to open the New and Modified Applications since last installed content window, which lists all new or updated application signatures included in the content update.
Protocol Contexts(NO LICENSE NEEDED)APP-ID/CONTENT-ID
An Applications and Threats content update also can include new or updated protocol contexts. Network protocols use a communication language that consists of a well-defined set of requests and responses. A protocol context refers to a part of that communication language. For example, the HTTP http-req-host-header context refers to that part of the HTTP communication where the hostname is exchanged.
Applications and Threats Package Contents
An Applications and Threats content update contains four main components: - application signatures - threat signatures - protocol decoders - protocol contexts
Application Groups
An application group is a static, administrator-defined set of applications. Application groups enable you to create a logical grouping of applications that can be applied to Security and QoS policy rules. An Application group is used when you want to treat a set of applications similarly in a policy. Application groups ultimately simplify administration of your rulebases. Instead of you adding the same list of applications to multiple rules, you can create an application group and add the group to multiple rules. You still must issue a firewall commit after updating an application group.
Nested Application Groups and Filters
An application group is manually configured to include applications, application filters, and other applications groups.
Release Timing
Any brand-new applications, decoders, or contexts typically are released in the evening of the third Tuesday of every month in the Pacific time zone. This time converts to Wednesday in Asia. Updated applications, decoders, or contexts, and either new or updated threat signatures, are released at least weekly but can be released more often.
Encrypted SSL Traffic - Single Site
App-ID cannot use signatures and decoders to identify applications in encrypted traffic. However, the firewall attempts to identify the encrypted application using two(2) other methods. 1) The first method relies on the Common Name field in a certificate, which typically contains either the FQDN of the server or its IP address. 2)The second method relies on a TLS protocol extension named Server Name Indication (or SNI) that enables multiple hostnames to be served over HTTPS from the same IP address.
Application Signature
App-ID checks the traffic for a protocol and bit pattern identified by an application signature. If an application is identified by a signature, then the firewall checks the Security policy to determine what to do with the traffic.
App-ID Application Identification
App-ID enables you to see the applications on your network, their behavioral characteristics, and their relative risk. - Application Signature - Protocol Decoders - Heuristics - Identity Unknown - Application Shift
Classifying (Labeling) TCP Traffic
App-ID labels the TCP traffic seen by the firewall. If enough packets are received for App-ID to identify the application, then App-ID assigns an application label such as gmail-base. If App-ID cannot identify the application, then it assigns labels such as not-applicable, incomplete, insufficient-data, unknown-tcp, or unknown-p2p.
Classifying (Labeling) UDP Traffic
App-ID labels the UDP traffic seen by the firewall. If App-ID recognizes the application, then it assigns an application label such as dns or call-of-duty. If App-ID cannot recognize the application, then it assigns an application label such as unknown-udp or unknown-p2p. A Palo Alto Networks firewall examining UDP packets often must examine only a single UDP packet to identify the application.
APP-ID Insufficient Data(TCP
App-ID labels the traffic as insufficient-data when not enough data is received in the payload to identify the application. In this case, the THREE-WAY TCP HANDSHAKE COMPLETES, but not enough data follows the handshake to identify the traffic.
APP-ID not-applicable(UDP)
App-ID labels the traffic as not-applicable when the firewall DISCARDS the traffic because the Security policy does not allow it.
APP-ID <application_name> or unknown-tcp or unknown-p2p(TCP)
App-ID labels the traffic as unknown-tcp when the three-way TCP handshake completes and data is flowing, but App-ID cannot identify the application. App-ID labels the traffic as unknown-p2p when App-ID cannot match the traffic to a specific application, but the traffic exhibits generic peer-to-peer behavior. An unknown-tcp or unknown-p2p label could be the result of an internally developed application, commercial application, or malware for which the firewall has no signature.
APP-ID <application_name> or unknown-udp or unknown-p2p(UDP)
App-ID labels the traffic as unknown-udp when App-ID cannot identify the application. App-ID labels the traffic as unknown-p2p when App-ID cannot match the UDP traffic to a specific application, but the traffic exhibits generic peer-to-peer behavior. An unknown-udp or unknown-p2p label could be the result of an internally developed application, commercial application, or malware for which the firewall has no signature.
APP-ID Incomplete(TCP
App-ID labels traffic as incomplete when either the three-way TCP handshake DOES NOT COMPLETE or when the handshake completes but no data follows the handshake. Traffic labeled as incomplete by App-ID is not really an application.
APP-ID Not-Applicable(TCP)
App-ID labels traffic as not-applicable when the firewall DISCARDS the traffic because the Security policy does not allow it. For example, if a Security policy allows HTTP traffic on only TCP port 80 but the traffic arrives on a different port, then the firewall blocks the traffic and App-ID assigns the label not-applicable in logs and reports.
App-ID Application Labels
App-ID labels traffic observed by the firewall. The label is displayed in various logs and reports as an application name.
Which item is the name of an object that dynamically identifies and associates applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic?
Application Filter
Review Content Update Release Notes
Content Release Notes also describe how the update might impact existing Security policy enforcement and provide recommendations about how you can modify your Security policy to best leverage what is new. You can review Content Release Notes for applications and threats directly on the firewall. Browse to Device > Dynamic Updates and click Release Notes for a specific content release version.
Applications and Threats Content Updates
Content updates are made available to firewalls worldwide through a URL. A firewall or Panorama can pull content updates directly from the URL. Panorama also can push content updates to its managed firewalls.
'Create Cloned Rule'
Creates a new app-based rule based on port-based rule. - Option 'add container app' adds all apps related - Option 'add specific apps seen' adds only listed app
'Match Usage'
Creates new rule that contains all discovered applications - Replaces existing port-based rule with a new app-based rule.
Application Shift
Even after App-ID initially has identified an application, App-ID continues to use the protocol decoders to determine whether the original application has shifted to a new application. Decoders for known protocols use additional context-based signatures to detect other applications that might be tunneling inside of the protocol. For example, Yahoo! Instant Messenger can be carried in the HTTP protocol. If an application shift is detected, the firewall checks the Security policy again to determine what to do with the traffic.
Implicit Applications
For many applications, the App-ID database implicitly allows the required parent application without the need for you to explicitly add the parent application to the Security policy. Implicit Dependencies: App-ID defines implicit dependencies because the addition of parent applications to a rule in the Security policy could allow more traffic than intended. For example, enablement of web-browsing just to allow facebook-base would allow users to browse other websites. Configure Additional Security: An administrator would have to configure additional Security policy rules to control other website access. Security policy administration is simplified when App-ID implicitly allows parent applications. Implicit Permissions: Implicit permissions for a parent application are processed only if you have not added an explicit Security policy rule for the parent application. This implicit support also applies to administrator-defined custom applications that are based on HTTP, SSL, MS-RPC, or RTSP.
Identity Unknown
If App-ID cannot identify an application, it labels the traffic as unknown. You can create Security policy rules that tell the firewall what to do with unknown traffic.
Application Block Page
If the Application Block Page is enabled and a Security policy rule denies a web-based application, then a browser-based response page is displayed. The default response page includes the prohibited application name and the user's name if the User-ID feature has been configured.
Application Group
If you also enable User-ID, you can specify which users and groups are allowed to use the sanctioned applications. Use App-ID and User-ID together to greatly reduce the cyberattack surface across your organization.
Virtual System
If you have a firewall is capable of multiple virtual systems, you can change the Virtual System field to view policy impacts for a specific Virtual System.
Moving to Application-Based Policies
If you have no existing policy or your existing policy DOES NOT have to be retained, then you can use the greenfield method. If you MUST RETAIN the structure of an existing policy, then you should use the migration method. The migration method retains important historical information about your applications but REPLACES the PORT-BASED rules with APPLICATION-BASED rules.
Application
In Palo Alto Networks terms, an application is a specific program or feature whose communication can be labeled, monitored, and controlled.
Application Signatures(NO LICENSE NEEDED)APP-ID
New or updated application signatures enable the firewall to more precisely identify and label network traffic.
Protocol Decoders(NO LICENSE NEEDED)APP-ID/CONTENT-ID
New or updated protocol decoders enable the firewall to read network traffic. For example, HTTP and Portable Executable (PE) protocol decoders enable App-ID to read and interpret HTTP traffic or PE file contents. Multiple protocol decoders are critical for enabling App-ID and Content-ID to identify and read applications and services.
Predefined and Custom Application Tags
Palo Alto Networks assigns one or more predefined tags to applications in the App-ID database. Palo Alto Networks maintains these tags over time as part of the weekly Applications and Threats content updates. You can indirectly use these tags in Security policy rules to control application traffic. Rules based on Palo Alto Networks-defined application tags will automatically update to control a new list of applications whenever Palo Alto Networks updates its application tags and distributes the update via weekly content updates.
Migration Method
Phase 1: Migrate legacy port-based policy to Palo Alto Networks firewall. Phase 2: Add application-based rules above corresponding port-based rules. (In Phase 2 you use the Security policy's Policy Optimizer tool, or inspect the Traffic log and use its information to add application-based rules to the Security policy.) Phase 3: Remove port-based rules. (You review the Traffic logs and Security policy to determine if traffic is continuing to match any legacy, port-based rule. If no legitimate traffic has matched a legacy rule, then that legacy rule can be safely removed. If traffic has matched a legacy rule, the corresponding application-based rule is updated to match the traffic.)
Which tool is available in the management web interface to help you migrate from port-based policy rules to application-based policy rules?
Policy Optimizer
Which three methods does App-ID use to identify network traffic? (Choose three.)
Protocol Decoders Signatures Heuristics
'Add to this rule'
Replaces port-based rule with app-based rule. - Auto-adds applications to the existing rule(Rule auto-modified)
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application?
SSL
Scheduling Applications and Threats Content Updates
Set the Recurrence: When the Applications and Threats Update Schedule window opens, set the Recurrence to Every 30 Minutes to ensure that your firewall sees new content updates within 30 minutes of their release. Also, choose a time to check for new updates. Select the Action: Download - A download transfers updated content to the firewall, including any new or updated application and threat signatures. New or updated application signatures are marked as pending, in a gray italicized font. Neither application nor threat signatures are usable for traffic inspection following a download operation. Install - The install operation removes the pending status from new application signatures. Application signatures are available to App-ID for policy evaluation, but policy rules cannot use updated application signatures until you PERFORM A COMMIT operation. The install operation also makes any new or UPDATED THREAT SIGNATURES IMMEDIATELY AVAILABLE to the Content-ID engine for traffic inspection. You do not need to perform a commit operation to use new or updated threat signatures. Set the Thresholds: In rare cases, a newly released content update could have an error that might take a few hours to detect, fix, and re-release. You can use the Threshold (hours) value to delay download and installation for a specified number of hours. - A value of 6 to 12 hours for a security-first firewall is recommended. - A value of 24 to 48 hours is recommended for an application-uptime firewall. Use the New App-ID Threshold (hours) value to delay only the installation of content updates that include new application signatures. These content updates still are downloaded so that you can use the pending application signatures to review and update policy rules. - A null value for a security-first firewall. - A value of 24 to 48 hours is recommended for an application-uptime firewall. The delay for an application-uptime firewall provides you with time to review and update your policy rules.
Dependent Applications
Some applications are dependent on one or more other applications. Also, network traffic can shift from one application to another during the lifetime of a session. For these reasons, when you create a policy to allow applications, you also ensure that the firewall allows the other applications on which the application depends.
View Unresolved Dependencies Reported After a Commit
Starting with PAN-OS 9.1, unresolved application dependencies during commit operations are reported on the App Dependency sub-tab in the Commit Status window.
Control Applications on SSL-Secure Ports
Starting with the PAN-OS 9.0 release, the application-default service setting has been extended to allow certain SSL-encrypted applications on their default SSL secure ports, in addition to the application's standard ports.
Rulebase
Supported rulebase policies are the Security, QoS, Policy Based Forwarding, and SD-WAN policies.
Expedition Migration Tool
The Expedition tool includes functionality to enable you to enforce Security policy rules based on App-ID and User-ID. Expedition also includes machine learning to help you generate a Security policy based on log traffic and the Best Practice Assessment tool (or BPA tool).
Threat Signatures(LICENSE NEEDED)CONTENT-ID
The content update might contain new or updated threat signatures. The Antivirus, Anti-Spyware, and Vulnerability Protection Profiles use these threat signatures to inspect protocol and application data for malware.
Protocol Decoders
The firewall also includes protocol decoders that read network traffic and identify only a protocol. If a decoder identifies a protocol in the traffic, then the firewall determines what to do with the traffic. For example, if the protocol is identified as SSL (or SSH), then the firewall will check its Decryption policy and might decrypt the traffic. App-ID could identify an application in the decrypted traffic and apply the Security policy to the application.
Heuristics
The firewall also might identify a protocol and then use heuristics to attempt to identify behavioral patterns consistent with an application. BitTorrent is an example of an application where the firewall must use heuristics to identify application traffic.
App-ID and TCP
The first packet is a TCP SYN packet. Though the first packet does contain the source and destination addresses and ports, it contains no application data. In fact, the next two packets just complete the required TCP three-way handshake and do not contain any application data. The application data could reside in either the client's HTTP GET request or in the server's reply. For this reason, the firewall might have to examine the fifth packet, for example, before App-ID can detect either the application or the presence of encrypted traffic. If the traffic is encrypted, the firewall must evaluate the administrator-defined Decryption policy to determine what to do next. Depending on the configured policy, the traffic could be allowed or blocked in either encrypted or decrypted form. If there is no decryption policy configured, then the traffic will be allowed or denied based on the configuration of the security policy.
Encrypted SSL Traffic - Multiple Sites
The requirement that every website have its own unique FQDN and IP address is not practical, so many web servers host multiple websites. The CN field of a certificate cannot be used to identify the application, because multiple web-based applications share a common FQDN and IP address. Instead, the firewall can use SNI to attempt to identify the application. During the TLS handshake, browsers and applications use SNI to send the web server the FQDN of the website to which they want to connect. The firewall reads the SNI field and attempts to use the FQDN in the SNI to identify the application. The web server reads the SNI field to determine which certificate to send back to the client to verify the identity of the website. If the firewall cannot identify the traffic using either the CN field in the certificate or the SNI field in the TLS handshake, then the traffic is identified generically as SSL.
Application identification and content inspection depend on the information in the Applications and Threats content updates
The three traffic types that App-ID labels as unknown typically are malware, internally developed applications, and commercially available applications for which Palo Alto Networks has not yet added an application signature.
Greenfield Method
To use the greenfield method, place the new Palo Alto Networks firewall in your network but temporarily configure it to allow and log all traffic. EXAMPLE: - New firewall initially is configured in virtual wire mode and is placed between the internet and the existing third-party firewall. - The virtual wire configuration is optional, and Layer 3 or tap mode interfaces could have been used. - You should enable Log at session end on the default interzone rule to increase your application visibility. - After you have configured the Palo Alto Networks firewall with application-based rules, you can remove the legacy firewall with its port-based rules.
Application block pages can be enabled for which applications?
Web-based
Decrypted SSL Traffic
When an SSL/TLS client connects to a secure web server, the application layer data is encrypted. However, App-ID can identify SSL/TLS traffic. If you configure the firewall to decrypt the SSL/TLS traffic, then App-ID can use signatures, decoders, and behavioral heuristics to identify the application.
Identify Applications in SSL Traffic
When an SSL/TLS client connects to a secure web server, the application layer data is encrypted. However, App-ID can identify SSL/TLS traffic. If you configure the firewall to decrypt the SSL/TLS traffic, then App-ID can use signatures, decoders, and behavioral heuristics to identify the application. App-ID cannot use signatures and decoders to identify applications in encrypted traffic. However, the firewall attempts to identify the encrypted application.
Application-Based Policy
You can allow sanctioned applications and application functions while blocking or tightly controlling any remaining applications and unknown traffic. In an application-based policy, the identity of an application becomes the basis for firewall policy in addition to a port number.
Determine Implicitly Used Applications
You can determine implicitly allowed applications using the firewall web interface or the Applipedia website.
(Policy)Type
You can explore the policy impact of New Applications and Modified Applications.
Application Filter
You can use specific application names in the firewall policy rules. However, for added flexibility you also can create application groups or application filters and specify them in policy rules. ***An application filter is an object that dynamically groups applications based on application attributes that you select from the App-ID database. The selectable attributes are Category, Subcategory, Risk, Tags, and Characteristic.
Because it examines very packet in a session, what can a firewall detect?
application shifts
Which item is the name of a packet capture stage rather than a packet capture filter?
drop
Which firewall operation is skipped when network traffic matches an Application Override policy rule?
identification by the App-ID Engine
When are brand-new application signatures released by Palo Alto Networks?
once per month
App-ID running on a firewall identifies applications using which three methods? (Choose three.)
program heuristics Application signatures known protocol decoders
Which three items are used by the firewall's App-ID Engine to identify the application in network traffic? (Choose three.)
protocol decoders custom application signatures standard application signatures
By default, which two application names might App-ID assign to a custom, web-based application running in your environment? (Choose two.)
web-browsing ssl