Add to collection(s) Add to saved
  1. No category

Palo Alto Application-ID vs. URL filtering and Application

advertisement 
Palo Alto Application-ID vs. URL filtering and Application dependency
The Palo Alto networks firewall provides us with a great deal of control and visibility into layer 7
application usage. One of these features is called App-ID (application Identification). APP-ID gives us the
ability to write security policies based on specific application identification signatures. We also have the
ability to include in this same policy, security profiles for URL filtering as well as other security profiles.
Application Identification and URL filtering can at times seem to overlap as specific application
identification signatures can depend on web-browsing and thus URL filtering if we have this configured.
These two features together again provide us with a great deal of control around URL filtering and
controlling applications based on their layer 7 signature and not the traditional layer 4 port number.
Below is an example.
If we want to write a policy for facebook based on its layer 7 application signatures, we must first
determine what other application identification signatures facebook depends on. We can find this out
by going either to the Palo Alto support website and selecting ‘Applipedia” or by going into the
“Objects>application” tab on our firewall and searching for facebook. We can click on the appropriate
Facebook application id signature to view its dependencies.
As we can see, Facebook-base depends on application ‘Web-browsing’. This tells us that in order for
facebook-base to run, we also need to allow web-browsing in this rule or it needs to be allowed in a
previous rule. The reason behind this is the initial packet for facebook is identified as ‘web-browsing’
since the initial connection is to the facebook URL (www.facebook.com). Once we are in facebook and
start ‘driving’ the application, there is an application shift in the firewall and it now recognizes the
specific parts of facebook and utilizes the application identification signatures for these specific
applications within facebook.
If we had a URL filtering policy applied that was blocking the social networking category in which
www.facebook.com is a part of and/or specifically www.facebook.com, facebook would not be able to
run.
Note that we will also be notified of dependency mismatches when we issue a commit on the firewall. If
we are missing any dependencies, the firewall will alert us of these dependency mismatches.
Related documents
Assembly 2013 - Anti Bullying Alliance
Assembly 2013 - Anti Bullying Alliance
Facebook_Whats_app
Facebook_Whats_app
LOUNGE 2.0 - Mountain View College
LOUNGE 2.0 - Mountain View College
Presentation Facebook trials and tribulations Social networking sites
Presentation Facebook trials and tribulations Social networking sites
Download
advertisement