Palo Alto Application Detection

 Palo Alto Application Detection

Symptoms

Sessions associated with an application-based deny rule show some packets transmitted/received

When the Palo Alto Networks firewall rules are evaluated, the security policy is evaluated two times:

1. Checking the packet against the rule set if the application was set to ANY
2. Checking the packet against the rule set once the application has been identified

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliLCAS

How much data is necessary to recognize an application

Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake).

In most cases, the application will be recognized before receiving that amount of data.

If it is imperative to block the data in the first packet after the 3-way-handshake, a custom application can be created

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK

 App-ID requires few packets after TCP handshake to see layer 7 and identify apps.

in case of an allow rule for application "ssl", an allow rule on destination port tcp/443 is required for TCP handshake, otherwise, packet is denied with application "not-applicable".

Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.