Chapter 4 - App-ID

1. 4.1 App-ID overview

In this video, we are covering Pcnsa 210 and this is chapter four, App ID or Application Identification. This is the first video of the chapter four App ID overview. Now, the first thing we need to find out,or we need to define, is what is an application. An application-specific programme or feature whose communication can be labelled monitored and controlled. applications that can be delivered through a web browser, a client-server model, or a centralised peer-to-peer design. After we identify what an application is, we look at what an app ID is. Well, traditionally, firewalls will classify traffic by ports and protocols. But today's applications can easily bypass a port-based firewall by hopping ports. So, accurate traffic classification is the primary function of any firewall. Security rules Within the Palo Alto network firewall, you can specify applications to allow or block. For example, I have this slidetraditional firewall, which uses a port-based security rule. And down here I have a Palo Alto network firewall which uses application-based security rules. Have a look at this report. Base security rules Any service DNS, as we say in applications. So we say in any application, as long as they're using port 53, that's okay, that's allowed to go through. So if traffic DNS comes through and is using port 53, that will be allowed to go through. But as well as if we have a bit torrent,for example, traffic they use on port 53, that will be allowed to go through too, because we say in application, any application as long as they have on port 53, which is and they should go through. But on the Palo Alto network firewall, we say DNS. The application has to be DNS. And the service is the defaultapplication default, which is port 53. If DNS traffic comes in and it's using port 53, that will be allowed, that will be allowed to go through. But if I have a bit torrent, maybe a trafficBitTorrent traffic 53, they try to use port 53. Now, BitTorrent is identified. It's not a DNS,it's something else that traffic will be denied. It will not be allowed to go through. So imagine if you have, for example, an IPS intrusionprevention system that will be able to identify what traffic is it, so the intrusion prevention system says, okay, well,DNS traffic, port 53, yes, it's allowed. No, BitTorrent is a different type, it's not DNS, so that will be denied. But the problem here is that if we have a zero-day, zero-day command and control traffic that hasn't been identified near the IPS, it has got no recognition of what type of traffic it is. Is it DNS or not? Since it doesn't know, it will allow it, it will go through, it will say okay, because here's saying any application as long as it's using port 53, if it's identified, it's notDNS, then it's fine, it will block it. But if it doesn't identify, is it DNS or no? Because it's a zero-day command and control, then it doesn't know if it's DNS or not. And it will allow it, it will send it through. And as well as it's not going to generate any log messages, which is a big problem. But on the Palo Alto network firewall, it says that we have a zero day.Instead of having this BitTorrent become a zero-day, zero-day command and control attack, Well, it's not. Zero day is not DNS. In the Palo Alto network firewall, we say it has to be DNS and zero day is not; if it is not, it will not pass. So, for that reason, accurate traffic classification is a primary function of any firewall. Now, Palo Alto firewalls that will be able to identify traffic pretty much say if you have a new UDP traffic, the first packet will be able to identify what application it is it.From the data on the first packet of UDP traffic, it will be able to identify what sort of application it is it.Is it DNS or is it something else? If we bring, for example, a TCP communication,then TCP communication will not be able to identify the first packet. So in the TCP communication, for example, we have a three-way handshake, where we have a synchronisation message there, synchronisation and acknowledgement from the server, and then acknowledgement on the fourth package. This is the fourth package that says it's got. Then you will say, "Okay, well,this is web browser traffic." We'll be able to identify that it's a web browser. And then further on, maybe we can identify that it's a secure socket layer, maybe traffic, maybe it's Facebook-based traffic or something else. However, the first three packets of TCP communication are TCP negotiation, and it will not be able to identify what traffic or application it is until the fourth and hopefully soon. And on Apollo Alto networks, first thing when the packet comes in, they're going to look, they can extract the IP and port number, and then they're going to check the security policy. Is that allowed or not? At that moment, when we check in the security policy for port and the IP address, we put in the application. We are not identifying my application at the moment. If the traffic is allowed, then we look at the app ID. If the traffic is denied, there's no point in looking at the app ID. If the traffic is allowed, then we have known protocol decoders and then an application signature. A well-known protocol decoder is thesyntax and command of common application. Then we apply for an application signature. An application signature is updated as part of the firewall content updates. If we don't know the protocol decoder, then we look at the patterns of communication in an attempt to identify the application and its behavior. And then if we have, for example, a packet that's been encrypted, if we have a packet that has been encrypted, do we have a decryption policy? If we do have a decryption policy, we will decrypt it, and then we will go through the same thing, checking the application ID. If it's not an unencrypted application, then we can apply an application signature, and then after that, we can apply an app ID. Either we allow that traffic or we block the traffic.So there's going to be four major technologies to help us identify the application. We have an application signature, we say ourupdated Palo Alto network customers, and then we have something that we know, some applications, some decoders that we already know, and we understand the ones that we don't know, where we try to match the pattern of communication. And we have decent encryption policies.

2. 4.2 Using App-ID in a Security policy

PC and NSA 210 are covered. And this is our chapter four App ID. Now this is the second video of chapter four, which is 4.2. Using App ID in the security policy, we are also going to be covering identifying unknown application traffic, application shift network traffic, and can shift from one application to another application during the lifetime of a session. For example, if we have a look at this communication,imagine that our user wants to use the Facebook apps. Now the user is going to open the browser and the first three packets are TCP Negotiation or TCP three-way handshake. So the client or initiator sends a synchronisation message, then the responder or the server is going to send a synchronisation and acknowledgement. And then the third message is the completion of TCP three-way handrack. Now at this moment, the firewall is going to report unsufficient data to identify what application it is it.However, on the fourth package, the client or initiator will send a get message. As a result, http get message At that point, the firewall is going to identify that as a web browser in traffic. Then this has to be enabled asAllow in a security policy rule. Now, as the client moves on from web browsing to logging into Facebook, that web browsing will shift to SSL, and then there will be another shift to Facebook Base and another shift to Facebook Apps. As you can see, all these applications have to be enabled as Allow on asecurity policy rule for them to work. Another thing that we have to know and remember is a dependent application. Some applications can depend on one or more other applications. So, for example, Facebook apps will depend on having Facebook Base enabled and also Facebook Base will depend on SSL and web browsing being enabled. As a result, for those applications to function, other applications must be enabled on security policy rules. For this reason, when you create a security policy, you need to make sure that you are allowing the dependent application as well. To find out what the dependent applications are, we can go to our firewall and have a look. For example, what we're looking for is the Facebook apps. So if I go to the firewall now to find out what the dependent applications are there, you need to select Object. And then we have an application and we're going to be talking about those three today. So we're going to be talking about this video. We're going to be talking about applications, application groups, and application filters. So, first and foremost, we are determining the dependent applications for Facebook apps. For example, So Object applications and in there we're going to start searching, right? So we're going to just type Facebook apps and hit search and the Facebook app is going to be there. So if I click the Facebook app, it's going to open and it's going to show us what applications are dependent on Facebook apps. Here is the name of the standard port for this application. And this application depends on Facebook based.So when you create a security policy, you have to make sure that you explicitly allow Facebook access. So the Facebook app will actually work by default. It doesn't enable itself, but it does actually enable implicit users. So, for example, Facebook applications also depend on web browsing. But you don't need to go and enable web browsing because web browsing will be enabled by default just for itsuse, not the whole web browsing. So not every user is going to do web browsing just because you're allowing Facebook apps. It's just going to allow web browsing for Facebook apps. Okay, you can search other things. For example, you can find out what the needs are, what the dependents are, or what the implicit uses are. For example, let's say that we want to allow Office On Demand. If I click on that, it will show us that if you want to enable this application, if you want to enable this application, you need to, for example, Office on Demand, the name it depends on, you need to enable Ms, Office365 Base, SharePoint, Online, SSL, and web browsing. So for this to work, you need to enable these four other applications as well. It doesn't have an implicit user, so you will not allow any other application, like a parent application, to say. So two things that we have to be familiar with are: for each application that we want to use, we want to make sure what it depends on. So we have to allow those applications depending on them explicitly and we have to look at what implicitly they will use. These are called "parent applications." So you don't have to explicitly identify or allow them in your security policy rules. Okay, the next two things that we're going to be talking about are, like I said, application groups and application filters. This is static when discussing application groups. If you have a static grouping of your applications, then you want to actually apply some sort of security policy to it. For example, say that we have a social networking application and we can group all the social networking applications in that group and then apply a security policy to them. application filter. This is the same thing, but this is dynamic. The thing is, the reason between the static and dynamic is the application group. The administratorstatically configures the application in one group and you have to update it manually. If you want to change something, you have to update it manually and also need to press to commit. So every time it makes some sort of change, you need to recommit to it. While dynamic, it is going to be updated automatically from the Palo Alto Network application ID database. So you don't really need to commit the application. For example, let's just say that we want browser-based office documents, or Office apps, I should say. And if there's a new Office app browser based on the Palo Alto database,they're going to be updated here for you. So you don't really need to go back and update it. Okay, we can actually create two of them,so we can create both, but we are only going to be using the application groups. Here's what we're going to do. So let's create a social networking application group. So click "Add" and here I will type social networkingapps and in there I'm going to add, for example,let's just say Facebook, and we have a Facebook base. Let's just say Twitter. Twitter There are other things. Let's just say that we're going to add SSL and web browsing, as well as DNS. Obviously, we can do research and find out what the social networking apps are and add them all in there. And these three, we don't really need to add them here. We can create another group policy just for web browsing and SSL and DNS, for example. So let's just leave this application as a social networking app. So you don't really need to add this every time. Now I click okay on that. And we already have an application group. If we want to modify something, we have to go here and update it, then recommit it again in the application filter. I'm going to create one, but I'm going to not use the application filter but just show you. So let's say we do a browser. I'll give it a name here as a browser based office app, okay? So that's a name. And obviously, these are going to be business systems, office programs, and browser based.If you prefer, we can also select them from therisk category. But I'm just going to keep all of them. There are 60 apps here. I'm going to keep all of them. Just click "okay." If a new browser-based Office programme is released, it will be automatically added to this group. Now that we have application groups which are isstatic and application filters which are dynamically updated,we can apply them to the security policy,we can apply them to quality of service,policy rules and maybe even policy based forwarding. Anyway, I'm going to make a rule now that is going to allow these apps:

Facebook, Twitter, SSL, web browsing, and DNS. And if, for example, we want to see some kind of response page, for example, somewhere that we know our users are not meant to go there and to see like an errorcode or something like that, then we have to enable the response pages which are located on the device and then we go to the response pages here and it's not enabled by default. So, on the application block page, you can either upload your own blog page or use the default one, which you can enable here. So click, and then enable. Okay, now what we also want to do is to start monitoring for interzone traffic. So if something drops or something like that, then we want to monitor that. So we go back to policies. We haven't created any policies yet. We can see that something is happening in the interzone and intrazone default. Let me reset these back to zero. So reset the rules, hit count. So all rules and I'm going to create a rule, a security policy rule that will allow my internal network to access the internet as long as they're using that social networkingapplication filter or application group that we created. So click add from inside to outside to out and the app will filter. And obviously, you need to fill these out and full type and everything. I'm not going to explain this every time, but if you do want to be more familiar with what's in this and what you need to type, then visit the video. Chapter three talks about all these entries. The source is going to be the inside of the inside zone. The user, well, we haven't got the user ID or host information profile. The destination is going to be outside. So say outside and the destination address is any source. I can put the source address. I can put my own network, which is 1921-681-0424. That's the whole network. Okay, destination. Now in the application I can add the application group that I created. I can also add the filter that created the application filter. So add an application. So it was social, and that's going to come.

I don't need to type the rest. application group, social networking apps, and services. We're going to leave the application default and, in action, we're going to allow it. We're going to log in at the session end and everything else again. Chapter three, a bit more, and this is more. In Chapter five, we're going to talk about profile settings and scheduling. Chapter three as well, and clickokay, now we have enabled that. So from an application filter inside network or insidezone, that IP address or that network going to an outside zone is allowed as long as it's using social networking apps. If you're not sure which app is here or which application is in which group, you can simply click on it, then select it, and then browse. And that's going to show you what is in there. application-based Twitter and you can also change it if you want to hear it or modify it. Cancel that. I'm also going to want to view or log interzone traffic because by default it's not logged. So it's a read-only option if I choose it. If I go to action, you can see that it's not logged at the session end. So I want to enable that, and to do that, you need to select it, enter the zone, and then select override. And then under the action you saylog at session end, click okay. And now that's going to be logged, and you can see the icon has been overwritten. Okay, so I have not committed yet. So if you want to go and check, I can go. For example, I have my Windows 7. My dependable Windows 7. Here I can open the command prompt and do IP configuration. You can see that's the IP address 192-1681 200.Now my network actually, if you want to see it, is this. So we are allowing the inside zone to go outside as long as they are using the social networking apps. So all this is going to be done outside with social networking apps, and that should be allowed. That's the idea. And by default, I have not committed yet. Not by default, but I have not committed yet.

So if I, for example, try and go to some kind of social media or say if I try to go to Facebook, www.facebook.com, I shouldn't be able to get there because I have not applied the security policy and I should not be able to go to Twitter either. And obviously, I'm going to try another one. At Wikipedia, nothing is going to work because there is no security policy. But after we apply the commit, after we are unable to commit and we successfully commit this,then the Facebook and Twitter should work. But for other ones, like Wikipedia or some apps that have been identified as regular different apps rather than just web browsing, it shouldn't work. Okay, so let me go there and commit it. Okay,you can see that commit has been completed successfully. And if I close that, the next thing is to go and test it again. So I'll go here to my client machine and I'll try and access Facebook. And this time it should work. You see, Facebook is fine, but Twitter should work as well. It's fine. It's working because aweb is recognised as just web traffic, or it's not Wikipedia. No, it is identified as a web traffic shutterfly. Now you can see that this one doesn't work. The reason is that it's identified as not aweb traffic, but as its own application. So let's use another website. They identify, this is turned on, and you can see this one is also an application block. And you can see our response page default that just says this IP address trying to get to this application is blocked. And if we have the user ID,this will actually be your user ID. So if I go to the monitoring in my firewall, let me close this, and if I go into the firewall and select monitor, you can see that the policies. So let's see, we must have some hit count here. You can see there's 516 hit counts and there's some interzone default hit counts as well.

So that means that we are trying to go somewhere that is not allowed. We can actually monitor this as well. So if I go to monitor logs and then traffic, and you can see that here, for example, when I'm trying to go to some website that is not allowed, it says reset both. So we can reset the initiator and the responder. It's not working. When I'm trying to go to DNS, it says it's allowed. When I was trying to go to Facebook, this was allowed as well. Other places, such as Google Base, are reset both. So I can't actually get to the Google base either. And you can see that Facebook was allowed because we enabled the Facebook app, then Facebook Base, and we also enabled SSL and web browsing. Okay, the next thing is that you can also create your own applications. For example, let's just say that you have your own application. You can just go here in applications and add, for example, let's say a street app. I will create my own application. I need to identify what category it belongs to. business systems, maybe these Office programmes as well. And this is maybe peer to peer.I can put it ahead of time, what port does it use? For example, what IP protocol, ICMP type, and so on? So say, maybe there's a port that I use. So, for example, I could put TCP 1122 in the port. That's my point. I'm going to be using and I can also create this timeout and put it on the signature and apply the signature to it. Okay, And click okay. Now that the application has been developed, So I can allow that application in my policies. So let me just click on that and edit it. So I added and here I put Astrid's app. It's going to come up. There we go. So that's my default app that I have. So I've got the application group, application group, and my own app as well. When you look at, you'll see that I entered two of them and it says is it or and this and this. No, but the application is this or this. It's or So we talked about defending the application. Some applications will depend on other applications, and you need to enable them. Make sure they are enabled on security policy. And we can see in the window that Office on Demand is dependent on Microsoft Office 365 base and SharePoint online being enabled.

And to determine what application dependencies there are, we looked at the objects, we went to applications, and we looked at what dependencies there are on implicit applications. They will be allowed one parent application. So, for example, the Facebook app by default depends on Facebook Base, but they will allow web browsing as a parent application just for their own use, not the whole web browsing. Then we talked about application groups, which are static and configured by the administrator. So the administrator defines and every time you need to update it or remove it, you need to commit. So if you need to update that application group, you have to make sure that you commit them so it's not updated automatically. And then we have an application filter which is updated automatically. This is a dynamic group of applications and they are maintained. Anything that's in there will be maintained by the Palo Altonetwork application ID database, and you don't need to recommit if something new is added in there. We can nest the applications into application groups and filters. So remember, I showed you an application which I made myself, and we can nest that application into the group as well as the filter, and then we can nest these ones and put them on the security policy, and you can see all three of them being applied. So in this security policy role, we can see and look at the icons as well as a bit.

So it's just a single application. You can see the icon. There was a group of applications and the filter, and we actually looked at the application block page. So in the case of something that's not displayed, we want to have some kind of response page thatapplication has been blocked, something similar to what we saw in our client machine here, this one here. So application blocked, you can put your own webpage, your HTML and the user's ID, which will actually display the user ID. And to enable that, we had to go to device, then we had to go to response pages, which is further down here somewhere and by default is disabled. We have to enable it. Now, unknown network traffic can be classified into two main categories: applications known to app ID and applications unknown to appID. So if you have some sort of traffic that comes into the router, the router is going to be able to see if it is identifiable. Did we see it before? If it is, then we identify what it is. If it's unidentifiable by appID, maybe it's a brand new application. Then we look at the HTTP detected? If it is, then we say it's a web browser app. If it's not, then we can just say that unknownTCP and unknown UDP identify unknown application traffic. Now, we have no idea what kinds of applications are passing through our network. It could be different applications. We haven't seen it before, we haven't even thought about it. And that's the first thing that you have to do. You need to make a policy rule that will allow any applications and run this policy rule for a while. So you learn what applications are going through your network and then you can make an app ID and configure an app ID. We are going to be talking more in the next lesson about how to convert from PC any application or protocol based viable into an app ID.

3. 4.3 Migrating to an App-ID

Covering PC NSA 210 and this Chapter Four app. ID. This is the third video of chapter four, 4.3, migrating to an App ID based security policy as well as updating App ID. Okay, so this is my laptop and the first thing we're going to do is create a port-based security policy where we can allow internal users or users from inside the network to go outside the network. That's going to be a port-based or protocol-based security policy like a traditional And as well, we're going to create another security policy from inside the demilitarised zone using FTP. Now the thing is, we're going to gather some traffic and then we're going to convert from port-based or protocol-based security policies into more specific App ID security policy rules. So I have a connection to my firewall and I have a connection to my Windows server. So if I open the command prompt on that Windows server and do IP config, you should see the IP address. It's the internal 192-1681 200, which is this one here, and the gateway is 192-1681, which is of the interface ethernet of the firewall, which is this one here. This PC should be able to ping the firewall, should be able to pin his own gateway, but at this moment it's not going to be able to ping anything. So, for example, anything else outside the DMZ or anything like that. Okay, so the first thing is that we're going to create a traditional port-based security policy. So I'm going to type press policies, then go to security, and then just create a basic one here. Then we can add a description there, and the tags will be in out; we can also group these tags from in out. And I can put the audit comment created by Okay, so here you put it like audit comments, so we have a trail of who did what and so on. I'm not going to keep doing it, but just so you know it and you put a date and time, then if somebody modifies this, they can add it and then we can keep some sort of trail in the description. You need to type a bit more information about what this security policy rule should be doing. So the source is insight from our network. So, inside source addresses Then I'm going to put here 1921-681-0424. So anything in the inside network userID, we don't have it yet. Destination is going to go to the outside and application, well,this is what we're going to change it to. At the moment, we don't have an application,so we don't really know what sort of traffic is going to go through our firewall. So we can't really add the applications yet. We keep it to application default and action for services. We marked it as permissible. Okay, so that's our first policy. Then we can create another security policy where we can get users from inside going to a demilitarised zone. The Nat rules are already in place. Yes. So I'm not showing you that. So this is going to go into the DMZ and if you want to see how to create Nat rules, you have to go back to chapter three. In there we go in depth about destination, source, Nat, and so on. Okay, so here are the sources from inside. I'm going to leave the address, but that's any address on the inside, and the destination zone is going to be on the tiny zone. And in the application, we leave any services to default. We can add our own service, right? So we can say we can select to add the service. You can either add it, for example, since I have an FTP service, but I can create it in the service very easily. So you can say astrid FTP and identify the port numbers, for example, 20 and 21. Maybe we are using some other non-default FTP port as well, and click okay. And then I will have that as my service action allow log at the session end. And okay, so now I have two security policy rules. One, from inside the zone to outside any application. And then the second one is inside the demolition zone. As long as they're using FTP, right? I can put a tag there as well. I already have a tag in there, so I can put it, for example, into DMZ. Okay, so now we have our tags as well. I'm just going to zoom in. This is it. Okay, I'm going to remove this user because we don't have any user IDs at the moment. So we can see the hit count and all that. At the moment, I'm getting few hits on intrazone and interzone. So get rid of this user. Okay, And I'm going to reset all these hit counts. So reset rules, hit count, all rules. Okay, now I'm going to commit this. Okay, now they have completed and committed successfully. What are we going to do is to create some traffic from the inside zone. And really, what I want is I want to see apps seen here and that's going to be populated. The thing is that this does take time. So I'm going to pause the video. It's about 15 minutes to 30 minutes to actually start populating with apps, sometimes even longer with the virtual machines. Okay, so I'm going to go to the client and I should be able to ping now outside. And yes, I have, I can, and what I'm going to do is open a browser and just navigate to some web pages. For example, I'm going to navigate to Facebook.com and I'm going to go to other sites like PaloAlto, Shutterfly, and Google.com, for example, Dropbox.com. I'm just going to create some traffic. And what I want to see is to actually see the app seen.Okay, so we have actually navigated to some sites here, even Netflix, Dropbox, and Google. For example, let's just say we drive here. Okay, Now, if I return to myfirewall, I can refresh this. So far, so good. It hits on the first entry from inside to outside. So we're going from the internal zone to the outside zone and accessing all those web pages. And the other thing that I want to do is go to the diminutrite zone. So I go to my computer, open a command prompt, and just do an FTP to one, nine, two, one, six, eight, one, one. And that takes me to my Ubuntu server. As a result, lab user I put the password here and I'm logged in. And if I go back to my monitor and I should see... well here, if I refresh it, I should see one packet of hit count on that DMZ. You can see it's coming there. Okay, the app is seen. I'm not seeing anything yet, and I'm going to wait, but I'll go to the monitor and we'll have a look. So log and then traffic, and we can see, yeah,that's the last packet that we went to the FTP. And you can see the role that's matching in DMZ. Facebook ms Facebook dropbox update Twitter must have done it earlier. That's your monitoring. Here's what we do. So I go back to my policies and refresh this. What I really want is to see the app seen here. And I'm going to hold on. I'm going to pause the video and come back when it's actually showing something. So, what, 30 minutes? I'm expecting between 15 and 30 minutes to actually start seeing some apps. Okay, after waiting about 30 minutes, we've seen and refreshed a few times, the application that I opened up here. I refreshed them a few times, and you can see the head count there as well as the FTP. But it has seen 22 apps in the top one. So, from inside zone to outside zone, 22 apps. And from inside the demilitarised zone, one app,we can't really tell what the apps are there without actually clicking on them. But before I do click on it, I want to show you this faint arrow here. If you just click on it, it will open. policy optimizer. Now in the policy optimizer, you can see no apps specified. So any policies that don't have any application specified,there are two of them, and we have only two. As a result, you can now see in and out of the application's default service and Astrid FTP. These are two policies without apps identified. And on the top one, we can see there are 22 scenes and one in the demilitarised zone. And now we can translate a portor protocol-based security policy into an application ID. security policy rules. Okay, so if I click on these 22 apps, I can see all the apps that have been seen in this policy. So as I've visited a few pages and refreshed and refreshed, these are all the apps that I've seen. Now this rule has seen So we have identified on the inside of this short period of time, 1 hour. This is all the apps and really what you want to do. You want to do it for like 30 days or even more, a little bit more to identify exactly what apps are going through your firewall. And then you can create an app ID security policy. And now we have... if I select all these apps, I have three options to convert the role. These three, I'm going to choose this one and this one. Well, I'm going to show you how to use this one first with this policy and then the next one with the rule we do with the demilitarised zone. But if I create a cloned rule, what this is going to do is create an identical rule, exactly the same as what we have. Instead of adding any, it's going to put it on top with the app ID rule, right? Okay, so if I show you a security policy, what we have again, it's going to create the same rule as this one in out. But instead of saying any application, it's going to put the application they have seen. All right, so I'll go back there to the policy optimizer,no app specified, select all 22 of them, and then highlight all of them and say create cloned rule. And then this is what I can call it, cloned in out. right? Okay, So now this in out doesn't have any more apps seen.So if I go back to my securitypolicy rules, you'll see the cloned in out does have all the applications. It is no longer considered an application. As you can see, there is no application or service, only "application default." We have created, we have cloned this, or we have converted this from a policy from port orprotocol rule into an app ID rule. And I'm going to commit that and then we're going to refresh it and we should see that it's actually using the top rule instead of the bottom one. Okay, we got some warnings here about the parent applications that need to be allowed. I can just close that. We have to have a look at these applications to make sure they are all allowed. But this has been completed successfully, the commit and now this. I can reset all my hit counts to zero and I should be able to see now which rule is hitting once I refresh the application. Are they hitting the top one or are they hitting the one underneath it? And as you can see, the policies are read from top to bottom. So the first one is red, and if it doesn't match, we'll go and read the second one. Okay, so I'll go to myPC and I'll refresh everything again. Okay, so now I'll go back to myfirewall and just refresh and see what's happening. Okay, as you can see now, we are actuallyhitting the top policy instead of the one underneath it. So we can keep them both side by side. And we really don't want to keep it like this for 30 days or even maybe more than two months. And we don't want to see this one underneath, we just want to see the top one. So after 30 days or so, we can disable this and say, okay, well, that's disabled, and still look at if there are any issues, and then if there are any issues, we can enable it again. If there is no issue after 90 days, we can delete that rule. So that's how we converted from port or protocol-based rules into just app ID policy based rule.And the second one that we're going to look at,we're going to look this into the Demilitarized Zone, so we can see that it has already had one application seen there and we want to do another conversion. There's three methods that we can convert, so into a demilitarised zone has one app scene, so we already saw if we clicked on it, that's an FTP, and we already saw how we can convert from to create a cloned rule. And that's the best one because you're not going to have a problem. So you can have two rules, both of them in there, and if the first one fails, then it will go to the second one, and then you can disable it. So, but the second method is well, similar. Add two rules. This will create a new rule, FTP firewall. It will actually replace port-based rules with application-based rules and it will move selected applications to a new rule. So click, okay, and if I go back to my security policy, I will see that this has been replaced. He hasn't created two. You see, the one before he created two was cloned. But this one, it just automatically replaced the port-based rule with an application-based policy, for example. And this is more dangerous because if there's a problem, you can't really go back and fix this. And the last method was when we selected match usage. So this one here matches usage. Again, this will be used only when you have a small application known as an app, and it will copy all apps in the app scene to apps on a rule and they will replace the port-based rule with an application-based rule. Another thing we can look at here in the policy optimizer is ruled usage. So if we have a rule that hasn't been used in the last 30 days, for example, if I click on that, it's going to show us any rules that haven't had any hits in the last 30 days, so we don't have this one. It hasn't got any of these hasn't got.So we can either disable these or maybe delete them. But maybe first it's disabled. You can see past 30 days of used rules and we can see maybe we can even put different time frames,for example, past 365 days of unused rules. So, policy optimizer a simple workflow to migrate your port-based security policy rule base to an App ID-based security policy rule base, which will help reduce the attack surface and provide information about application usage. Avoid running evasive applications on non-standard standard ports. And, as previously stated, the first phase is to discover and identify which apps are passing through, after which each new application-based rule is added to the corresponding port-based rule. So we are kind of like making a cloneand the final step is to clean up the one that you're not using anymore. So we went to policies and then no apps specified, and we found out what apps have been seen. And if you click on the apps being seen, you'll have three options to change that rule into App ID. We can clonethem, add the rule, and match usage with policy-based rules. The first option was to clone, and that's going to create another same clone, same ruleto what you have just with App ID. Now, as you can see here,the two rules are exactly the same. This one here and this one here, it's the same. But this one has an application and this one has appID information. The second method was to add a rule. This was to convert it automatically. We are not creating the clone,it's just that we convert it automatically. And third, you have to match usage and create a policyApp ID rule based on the usage of the applications. And then, after 30 days, you can disable it. Well, disable it first, and after 30 days you can disable it. I would run them side by side for 30 days, then disable it after 30 days, and finally delete it after 90 days. Update of dynamic content App ID Palo Alto Network adds a new application to the App ID database every week. And then we can download these. We can either download them as scheduled downloadonly, or we can schedule download and install them, or we can manually download them. right? To download them you can go to My Firewall and I'll show you how to go to Devices or Devices and then at the end here you have a dynamic update and we are not downloading or updating antivirus where we just go further down and we have applications and threats. You can click here to download the schedule. So for example, every Wednesday at 01:00 we downloadit only or we can download and install. Once we download the application,we can review the application. So what are the new applications being put out by Palo Alto Network? App ID: As you can see, these are new apps here. So, for example, CC Link was known as UnknownUDP and is now known as CC Link. These are the ports to use, and you can look at all the updates as well as we can, to see if anything interferes with or causes a problem with our policies. So we can review the policies. If we have any problems, they will show up here.

4. 4.4 Lab App-ID

We are covering PC NSA 210. And this is our chapter four app.ID, or application identification. Now this is the fourth video of chapter four, which is 4.4 Lab Application ID or App ID. Now we can in this video. We're going to put everything that we learn together in this practise lab. So what we're going to do is to create an application-aware or App IDsecurity policy rule to allow the inside users to go outside but just search in applications. And then we can create a port-based policy rule. Well, I'm going to create two port-based security rules and then be able to migrate these two app-ID security policy rules. Then I'm going to enable interzone login, and then enable the application block page for blocked applications. And then we're going to test this as well, so we can see that when the user is actually going to some site or you're trying to use an application that is not supposed to, you're going to get a warning. And then by that time, we should be able to see some applications with a policy-based policy and then be able to migrate them to application-aware policies. This is the laptop that I have. I have already created some basic configurations, including the Nap policies. So I have an inside zone with an A Windows Seven machine that will be testing it. And that Windows Seven machine has got a 192-1681 200 IP address, and that's a gateway, the 192-1681 one. I can go and show you that on my network. So if I go to that, that's a connection to my firewall and a connection to PCA. This is the inside zone PC, which is this PC here. And the IP address is 192-1681 200.So I can open the command prompt. Let me remove this so we can see it better. If I say ping, I'll do IP configuration first. You can see that's the IP address. And then I should be able to ping mygateway, which is the 192-1681 one, and that's fine. Next, I have connected another PC, Windows Seven,and that IP address is 230-11320, and it should be able to ping the gateway is one.So on another PC outside PC, I can open the command prompt for this PC's IP config and I should be able to pin my gateway, which is fine. Okay, And I also have an Ubuntu server that is located in the Mydemo trite zone that uses FTP to this server. So the idea is that we're going to have an App ID application-aware security policy rule that will allow inside users to go to the outsidezone, from inside zone to outside zone, and just search for an application, not everything. And then when they try and test some application that they're not allowed to see, they should see a blog page. And then I'm going to create a port policybased rule which means I'm going to allow myinternal users to go to the demilitarised zone and myoutside zone to go to the DMZ zone just using FTP. Well, first we're going to allow FTP with any application,just support FTP, and then we're going to be able to migrate this to an Application Aware Security Policy rule. Okay, that's the idea. So I'm going to go to my firewall again. First we're going to create an application over ID that allows the inside users to go to the outside or inside zone users to go to the outside zone. So click Add and in the name, we're going to say in to out. And this is my app ID. And to get more familiar with everything that you need to write here, you should watch the previous videos. I'm going to do it fast here. So just so we don't take too long from those videos, But you meant to type the description tag in audit comments and all from source. I'm going to put the source zone inside and the source address is going to be the whole MyInsight network address, which is 1921-681-0424. I can have some addresses here that I don't want to use. So you can use Negate here as well. Then the user. We don't have a user ID yet or a host information profile. So we're just going to leave it to anydestination. Well, any destination is going to be outside. So from inside to outside destination address,we're just going to leave it toany and then applications in the application. I can write down what applications are because this is an Application Aware Security Policy rule. So we're going to use Facebook. So we're going to test it with Facebook. So, Facebook base. I'm also going to allow DNS, so we should be able to use DNS. It's also going to allow SSL and web browsing. So SSL and web browsing, right? So these applications, or Applicationaware SecurityPolicy rules, allow these to go through service and URL. We're just going to leave it to the application to defaultand any URL, an action we cannot allow. We could deny it or we could drop and reset either the client server or both. No, this one we can allow. And we're going to log in at the session end. If you want to troubleshoot something, we're going to have a log at session start. Nothing for log forwarding,nothing for profile settings. These are all coming up in the future schedule. We've already done it in the previous video. I think chapter three and quality service Okay, there's going to be no marketing after I click Okay, we're going to get a new tab here at the end, right? Let's start by clicking okay. So that's your app IDor application-aware security policy. And we can create two more. As long as they use FTP, we can create one from the inside zone to the demilitarised zone. So click Add and I'm going to put in TODMZ and source is going to be the inside zone. The source address is going to be the same network that I have, 1921-681-0424, and then the username destination, which we live as a default user destination, is going to be the DMZ destination address. Well, the destination address is going to be theDMZ, which is for insights. I'm going to translate this address to the DMZ or Ubuntu server. Now, if you look at the Ubuntu server,the actual IP address is 19216 8510. But the idea is that this firewall is going to translate if somebody wants to go to Ubuntu,they need to access the address. This address. So when they want to go to Ubuntu,they go to this address and then the firewall will translate this to that address. For here, I'm going to create a brand new address, 2030 at 1310. When outside users want to go to Ubuntu Server FTP, they will go to this address, and then the firewall will take that address and translate it to Ubuntu's address. So that's the idea here. So we're saying destination address is that and the application, which we'll leave to default to any application because this is a port or protocol policy based rule, and the service as long as they use FTP. And I have created this service. FTP action again, same click. OK, so I'm going to create another port-based security policy rule. You see, with the port-based security policy rule, the word in the application is any. And really, the Palo Alto network firewalls recommend using the word any as little as possible in your securitypolicy rule. Okay, so I'm going to create another security policy rule that says this is from outside zone to DMZ and the source is outside zone, the destination is the DMZ. So in the source, we don't really know any addresses. It can be any address. The destination zone is going to be the DMZ, but the destination address is going to be the server, which is two or 3013 dot ten. And that's going to be translated into the internal Ubuntu service IP address application any.And we're going to convert this to say, FTP only. But on the service, we're going to say we're going to use the FTP service and we're going to allow this and log at the sentient end. Okay? As you can see, we have two protocol-based security policies and one application identifier or application ID security policy rule. I just did this too. So I did create an application-aware app ID security policy and I did create a port-based security policy. Then we can enable interzone login and we can enable the application blocking page. When the users try and access some applications, they are not allowed to see what they should see. So, log in to your zone. To enable that, you need to just select enterzone default and then say override by default. It's not logged in and we want to log in. We don't want to change the action, which is denied by default. We just want to log in and click OK. And you can see the icon changed. It has been overridden. And the next thing we're going to see is the application block. When the user tries to access some apps that they're not supposed to, they should see some page that says, "Well, you're trying to access something they're not allowed to." So go to Device and that is located under Device and then Response Pages and the response page By default, the application block page is disabled. You can enable your own web page to appear if you want. And you have to select that if you want to, or if you want just to take the default, just enable it here. Okay, and now we are ready to commit. So we're just going to do it. Okay, now they have committed successfully. And I'm just going to show you what policies we have actually created. We created inside, going outside, and we let Facebook and web browsing. That's it. And we created a policy from inside the diminutrite zone. They're using FTP and also connecting from outside to a small zone. But that's AppAware, these are port-based, right? That's what we're going to do. Go and test it. So if I access the internal machines, which I have, for example, this is inside. So this should be able to go to the FTP server. Enter FTP 1921-681-6811. And I'm logged into that FTP. So labuser. Okay, let me try again. As a result, lab user Okay, now I'm logged in on that FTP server, it's fine. So if I go to my firewall and thepolicies, I should see some hit count on this into the DMZ, which is already there. I can see it twice because once it didn't work. And then let me try from the outside. I should be able to FTP to that server as well. So FTP, but the address of FTP is outside the address here, 1310. And I'm in. That's it. Login successful. So if I go to my firewall now, this one here should have some hit counts as well. So if I refresh, there we go, we have a one-hit count and the time and date of the first hit. Those two, I'm expecting to see here in the apps scene, and then we can migrate them. Now we're going to go ahead and test this here. So I'm going to go from inside and try and get to, for example, Facebook. Okay, so I'll do www.facebook.com and I'm fine with Facebook. I can access it. Okay, for example, let me try to access, for example, something else. I can access Wikipedia as well. I should be able to, yes, because this is just a normal web browser. But if I do want to access something like that, it's known as not just a web browser, but a known application. For example, shuttify. I should get a block page because this is not allowed to read. I'm still not allowed to go through it, as you can see, but I'm not getting the blog page. Let me try and test another one. So, for example, yes, this one is actually giving me the blog page and this is what I was expecting. So if I try to access some application that's identified as not just a regular web browser,then I should get a web page. And on the block page, it says "application-blocked access is not allowed in our company." And that's my user ID. And if I had the user ID, it would actually give me the ID of the user, not just the IP address and the application I'm trying to access. But this shutterfly did not access it either. So I can try it again just in case I did. Okay, so that's still not going through. OK, so if I go back to my security policy now, I'm expecting the first security policy to get some hit counts. And if I refresh that, you see I got quite a few hit counts because I did a few tries. Okay, we have some interzone default logins, so you can see that some have been denied. And those are the places I was trying to go that I'm not supposed to. So let me go to monitor and then logs and then traffic. So you can see here the places that I did go to and the places that didn't work. Okay, let me refresh. It's already been denied. I can see some DNS have been denied. On Facebook, that's allowed. Let me just filter out the one that I did access. You see, for example, I did a filter on this one that I tried to access and it says, "Okay, from this PC you're trying to go to this destination and the action is denied." And the security policy rule is interzone default. So it didn't match the app ID, it didn't match the FTPS, and it just matched the interzone. And its policy says to deny it. You can search for stuff that you try to access. For example, let's see, shutter flies as well. You can see this must be from a different day that I was trying it. But from today, what I'm doing, it's from yesterday. From today, which is the 16th,it's actually entered the zone and hitting the interzone. So if I go to policies again and I see the security policy refresh, I have 718 on the first policy,two FTPS from inside to the DMZ and one from outside to the DMZ diminutrizone, but I have not seen the app ID. This is usually done on a virtual machine, and it takes time. So it can take anywhere from 15 minutes to well over an hour for something to appear there. So what I'm going to do is I'm going to actually try a few more times and then pause the video and come back when something comes back. Okay, so if I go here and try to access it again, okay,and then I'll try from the outside PC as well, right? So I'll do that first, and then I should have a couple more added to my security policy. So there really should be three and two really.There we go. But nothing in an app's ID when it comes back. Then I'm going to show you how to convert or how to migrate from the older port-based rule to an AppAware policy. So we made an Applewaresecurity policy, we made an interzone login, which you saw, you saw the application block page where you could enable it, and we tested it. We're just waiting to see how to migrate it. When this comes back with applications, I'll resume the video. Okay? This video was paused for about 45 minutes. And now when I refresh it, it says that on the first policy it's three applications seen. The second policy is one application which is FTP. And then on the third policy, we have another application. Now, the one on the top is called Application Identifier, or Application aware security policy.So these are the applications, but of these two, the second policy and the third policy, it's a port-based policy. And we need to migrate these to application-based The thing is, you really would like a month or maybe 60 days. You would run a port-based or protocol-based policy just to find out what applications are going through your firewall. And then you can start migrating from port-based to app ID. It's kind of like in stages. You can't automatically, as soon as you get a firewall, know what applications are out there or what applications you are using. Okay, so the first thing we're going to migrate is this into the DMZ, and then we're going to migrate the third policy. To migrate it, you can click this hyperlink or you can open the policy optimizer, which is located just underneath the policies. So we have a policy optimizer. And there we can see that there are two no-app specified. So we can say there are port-based policies. That's what it says. There are two port-based policies. In other words, okay, so we have these policies and they are not application-aware security policies. So you can see the apps allowed,any app seen, one on each. So we're going to migrate the first one into the DMZ first. So, if I say that first, you can see three ways that we can migrate thisport-based policy into an app or application where policy we have adda rule, create a clone rule, and match usage. Now the best one that I would use is the clone rule, because what this would do would take this policy and it would create a clone. So you'll have both of them. You have an application away policy, and underneath that, you have a port base policy. And that should always be the top one because the policies are read from top to bottom. As soon as you hit the policy, it stops reading underneath it. So what I'm going to do is the first one. I'm going to show you the cloned one. So I'll click on that, so highlighted,and then create a cloned rule. And this one I'm going to say, I'm going to totype clone into DMZ, and this is your app ID. And click okay, now that's been migrated from the demonstrate zone has been migrated. So if I go to policies and then select security again,then you should see two of the same ones. But one of these app IDs is a port base. So this one is an app ID because we just cloned it. And from the any application, it's gone to the FTP application. And then there's one underneath it. And I would run them like this for about 30 days. And then you see that all the hits now go on the cloned one. You should not have any more hits under your belt, right? So that's what I'm going to do. We're going to try it again. So let me reset the counters. So I'll just send everything to zero. When I run another test from inside the DMZ, we should see hits here, but not on the one beneath it. Okay, so let me go to the inside, we'll try again. So now let me just go and refresh this. Now, as you can see, it's still not working. The reason is that I'm just thinking about it right now. I didn't commit it. So it's still actually using this. It's not using the clone one. So I need to commit. Okay, the commit has been successfully completed. So I'm going to actually reset the counters again, and then I'm going to try again. So go to the PC inside the PC,exit from that, and try it again. Login. Okay, I'm in. So let me go and have a look again. So you see, now it's gone on the cloned one, four hits,no hits into the DMZ and in the normal port base policy. So after a while, you can disable it after 30 days if you haven't had any hits, and see if there's any problem. If it's still not creating any problems, then you can actually go ahead and delete it. Okay, And then the next one that we're going to see, no apps specified, out to the diminutrite zone. We can see there is one app there. So if I click on that, then we have an option. Create a clone. We've already done it. Let's just create another clone and it will be put on top of the old one. Add a rule. This is not a clone; rather, it will convert this policy-based security policy to an application-based or app ID-based security policy. But you're not going to have two, you're going to have only one. And this is a bit more dangerous because if there are any problems or any new applications or anything like that, then they're not going to work. So at the rule, I'm just going to click OK and this is done. And when I click OK again and go to the security policy rules, you see that the diminutrite zone, out of the DMZ, has been changed, but we don't have two of them, we don't have the clone one. It's just that this one has already been converted from the normal policy port based into application based and that's it. We don't have the old one with the clone, we have the old one, which I would prefer the cloned one. Okay, so I'm going to go into the outside PC and just test it again. Okay, so exit here and try again. I think I typed the password wrong. Let me try it again. Yes, I'm in now. Login successful. So if I go back and refresh it,I should see a couple of packets. There we go, two of them. One of them was the password was wrong. There we go. And the third method, which is only preferred if you have a small option of match usage This one here is that we haven't got anymore to actually show you, but the match usage is going to be if you want to match a small number of applications. Copy all apps in the app scene to the appon the rule, and it will replace the port-based rule with an app-based policy. If you want to later on, like, find out what applications have been updated and maybe you want to know what is an implicit and explicit application that needs to be allowed. You need to go to Objects and we will look at the updates very soon, but you need to go to Objects and look at applications. For example, you start typing what application you want to use. So say Office on Demand. I just bought Office. It's going to bring Office on Demand and when you click on that application it's going to show you what other application it depends on. So you can see that Office onDemand depends on these applications. So for it to work on your security policy, you need to enable these applications. Some applications have implicit uses, so you don't need to enable them. They will still use them. If you want to update your applications, let me just zoom out a little bit so we can see it clearly. You can go to the device, and then at the end, you have an update, a dynamic update, and the application enters. When you want to download the application, when do you want to update it? For example, do you want to only download only?Do you want to download and install it or not? And then you can review the apps and then check them or run them through your policy. Does it create any sort of clash or anything that doesn't go through with your policies? OK, that's it.

ExamSnap's Palo Alto Networks PCNSA Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Palo Alto Networks PCNSA Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.