Manage Custom or Unknown Applications
Focus
Focus

Manage Custom or Unknown Applications

Table of Contents

Manage Custom or Unknown Applications

Palo Alto Networks provides weekly application updates to identify new App-ID signatures. By default, App-ID is always enabled on the firewall, and you don't need to enable a series of signatures to identify well-known applications. Typically, the only applications that are classified as unknown traffic—tcp, udp or non-syn-tcp—in the ACC and the traffic logs are commercially available applications that have not yet been added to App-ID, internal or custom applications on your network, or potential threats.
On occasion, the firewall may report an application as unknown for the following reasons:
  • Incomplete data—A handshake took place, but no data packets were sent prior to the timeout.
  • Insufficient data—A handshake took place followed by one or more data packets; however, not enough data packets were exchanged to identify the application.
The following choices are available to handle unknown applications:
  • Create security policies to control unknown applications by unknown TCP, unknown UDP or by a combination of source zone, destination zone, and IP addresses.
  • Request an App-ID from Palo Alto Networks—If you would like to inspect and control the applications that traverse your network, for any unknown traffic, you can record a packet capture. If the packet capture reveals that the application is a commercial application, you can submit this packet capture to Palo Alto Networks for App-ID development. If it is an internal application, you can create a custom App-ID and/or define an application override policy.
  • Create a Custom Application with a signature and attach it to a security policy, or create a custom application and define a custom timeout. Avoid creating Application Override policies because they bypass layer 7 application processing and threat inspection, and use less secure stateful layer 4 inspection instead. Instead, use custom timeouts so that you can control and inspect the application traffic at layer 7.
    A custom application allows you to customize the definition of the internal application—its characteristics, category and sub-category, risk, port, and timeout—and to exercise granular policy control and help eliminate unidentified traffic on your network. Creating a custom application also allows you to correctly identify the application in the ACC and traffic logs, and is useful in auditing/reporting on the applications on your network. To create a custom application, specify a signature and a pattern that uniquely identifies the application and attach it to a Security policy rule that allows or denies the application.
    For example, if you build a custom application that triggers on a host header www.mywebsite.com, the packets are first identified as web-browsing and then are matched as your custom application (whose parent application is web-browsing). Because the parent application is web-browsing, the custom application is inspected at Layer-7 and scanned for content and vulnerabilities.