How to Configure App-ID in Palo Alto Firewall

Palo Alto Networks devices have a feature called Application Identification, or App-ID. It's a proprietary technology that's exclusively available on Palo Alto Networks devices and is in charge of recognizing programs that pass through firewalls regardless of their port, protocol, or encryption (SSL or SSH). 

Compared to Palo Alto Networks Application Signatures (nearly 2,000 distinct App-IDs), Application Protocol Decoders, and heuristics, this identification of apps ensures the success of proper Layer 7 inspections at the packet load level. These components are in charge of visibility for Layer 7 (L7) traffic passing via Palo Alto Networks firewalls.

The App-ID component's engine is controlled by a set of pre-defined contexts. Decoders are used in these contexts to help detect tunneled applications within the primary application (for example, Google Talk within Gmail). The PAN-OS App-ID engine categorizes and classifies the apps, enabling correct application group identification and usage at the security policy level.

Ready to Learn Palo Alto Technologies?

CBT Nuggets trainer Keith Barker has a comprehensive course that covers Palo Alto PCNSA certification. His course can assist you in passing the PCNSA exam if you are interested in validating that you have the knowledge to leverage fundamental Palo Alto firewall features.

How Does App-ID Work?

The App-ID engine is constantly providing visibility of the logs (Monitor tab) in PAN-OS when traffic is transiting the Palo Alto Networks firewalls, but the sequence before that visibility is defined as:

"The traffic must adhere to a security policy and be able to accept signatures. These signatures are applied to traffic to identify the application(s) based on their distinct characteristics. If the application uses its regular service ports, the Services column should be set to "application default."

Non-standard ports must be indicated in the Services column of the traffic rule if non-standard ports are used.

If the App-ID engine detects that the traffic is encrypted (SSL or SSH), a decryption policy must be implemented for the App-ID engine to inspect the traffic.

How to Configure App-ID in Palo Alto Firewall

There are various steps to setting up an App-ID in Palo Alto Firewall. We'll go through the fundamental requirements of App-ID, its dependencies, and application groups.

App-ID Fundamentals

The first fundamental requirement for configuring an App-ID in the Palo Alto firewall, is that we need to configure zones, inside, outside, and DMZ. According to the following topology, we have eth 1/1 as an inside zone and eth 1/3 as an outside zone in PA-FW1.

To set up zones, go to NETWORK > Zones > Add and follow the wizard.

The second fundamental requirement for App-ID is to set color coding for the zones. For this, go to OBJECTS > Tags > Add. Choose the zone as “Inside” from the “Name” field, and “Forest Green” from the color field, and click OK. Repeat this step for the outside (red color) and DMZ (yellow color) zones.

You should now see the configured color scheme. Click Commit to accept the changes.

The third fundamental for configuring App-ID is configuring a security rule. The security rule could be configured port-based and application-based. 

To allow SSH access, we'll create a port-based security rule.

Go to POLICIES > Security > Add. In the General tab, enter the name of the rule. 

Go to the Source tab to set up the source zone as “inside”, source address “10.1.0.0” subnet.

On the Destination tab, choose “outside” as the destination zone and “any” as a destination address.

On the Application tab, click on Add and type ssh. On the Service/URL Category tab, click on Add > New Service. Enter the name, protocol as TCP, and destination port as 22, and click on OK.

Once the rule is configured, drag it to the top of the rules. Click on Commit and Commit again to accept the changes.  

How to Configure App-ID Dependencies

Let’s think about an app in the context of a firewall, such as a Palo Alto next-generation firewall, as a program or feature that may be labeled. We can identify it based on its features, which go beyond just the well-known port and include looking at the program and its behavior as it passes through the firewall. Then, if we can label and identify it, we can keep track of it. We can also control it as a result of adding it as part of a security strategy.

Some of the apps are reliant on other apps, which must also be included in the rule if they are to be successful when they reach it. In this section of the article, I'd like to show you how simple it is to detect, as part of App-ID, what dependencies this app has and how we can include those dependencies in a security policy rule. 

To configure App-ID dependencies in Palo Alto Firewall, click on OBJECTS > Applications and that gives you a view into all the applications. 

From the list of applications, look for Facebook and click on it. We have a Facebook category, as well as facebook-apps, facebook-base, facebook-chat, facebook-code, facebook-downloading, and facebook-file-sharing, among other things.

As an example, let's look at facebook-apps. If we click on that, it will take us to the application's information page. And it shows us that it uses TCP port 80 for HTTP and TCP port 443, which is for SSL/TLS.

It also mentions that it is dependent on Facebook. And that implies that if we just put this in an access control policy and check for facebook-apps, and we didn't have facebook-base anyplace else in our policy, users would be upset because they wouldn't be able to access their Facebook apps. Also, if we specify facebook-apps in addition to facebook-base to make it function, it's implicitly using an App-ID object named web-browsing behind the scenes.

Let's configure the facebook-apps as part of a security policy rule. For this, click on POLICIES > Security > Add. And in the General tab, enter the name of the rule, rule type, and description of the rule.

In the source tab, add the “inside” as the source, in the destination tab, add the “outside” as the destination interface, and from the Applications tab, add “facebook-apps”.

And, on the right side of the Application tab, it shows us that it’s dependent on “facebook-base”. 

Click on the checkbox against the facebook-base and click on Add to Current Rule. And, it will add it for us. Click on OK to complete the process. Drag that rule to the top of the list of rules.

Click on Commit and Commit again to save the configurations. 

Adding Applications Group into Security Policy

If we find ourselves repeatedly using the same group of apps and manually adding them to our security rules, we might consider using the application group object. We identify the applications we wish to employ, group them, and then place that group inside of our security policy.

Let's start with the five applications we've already added and know we'll need again and again. We don't want to have to type them in manually every time. We can build a group and then add those five applications to it.  

To add an applications group to the security policy in a Palo Alto firewall,  go to OBJECTS > Application Groups > Add. Enter the name of the group and click on Add again to add several applications and click on OK.

Application groups are now fixed, which means we have to create them. They're not going to evolve dynamically. As a result, an application group is immutable. It isn't dynamic in the least.

We'll incorporate it into our security policy and establish a new rule as a result. To do so, go to POLICIES, choose the previously defined rule (in our case, FaceBook access), and click Add. Enter the name in the General tab, then add "inside" as a source zone in the Source tab. 

Add "outside" as a destination zone in the Destination tab, and an application group that you previously created in the Application tab, then click OK to accept the configurations.

And, move that rule to the top of the list. 

Click on Commit and Commit again to accept the configurations.

Final Thoughts

This article walked through the process of configuring App-ID in Palo Alto firewalls. App-ID is a patented mechanism that allows Palo Alto firewalls to identify applications traversing the firewall independently of its port, protocol, and encryption. By configuring App-ID, you can ensure the success of proper Layer 7 inspections. Learn more about Palo Alto with CBT Nuggets today!