Palo Alto Networks | App-ID | Solution Brief 1

App-IDA foundation for visibility and control in the Palo Alto Networks product ecosystem, App-ID™ is a patented traffic classification technology that uses multiple identification techniques to determine the exact identity of applications traversing your network, irrespective of port, protocol, evasive tactics, or encryption. App-ID provides you with the knowledge and flexibility you need to safely enable applications and secure your organization with:

• A more complete understanding of the business value and risk ofapplications traversing your network

• Creation and enforcement of safe application enablement policies

• Application visibility and control back at the firewall, where they belong

As the foundational element of our enterprise security platform, App-ID provides visibility and control over applications—even those that try to evade detection by masquerading as legitimate traffic, hopping ports, or sneaking through the firewall under encryption.

2App-ID | Solution Brief

In the past, unapproved or non-work-related applications on your network left you with two choices: block everything in the interest of data security or enable everything in the inter-est of business. These choices left little room for compromise. App-ID lets you see the applications on your network as well as learn how they work, their behavioral characteristics, and their relative risk. In conjunction with User-ID™ technology, this means you can see exactly who is using the application based on their identity, not just an IP address. Armed with this information, your security team can use positive security model rules to allow the applications that enable the business, controlling them as needed to improve your security posture.

Firewall Traffic Classification: Applications, Not PortsStateful inspection, the basis for traditional firewalls, was developed at a time when applications could be controlled using ports and source/destination IPs. The strict adherence to port-based classification and control is foundational and cannot be turned off. Even when augmented by “after the fact” classifiers, traditional firewalls cannot effectively con-trol modern applications, which have evolved the ability to easily slip past stateful inspection.Recognizing this, Palo Alto Networks developed App-ID, an innovative technology that does not rely on any one single element, like port or protocol, to identify applications. In-stead, App-ID uses multiple mechanisms to determine what the application is, and the application’s identity then becomes the basis for firewall policy. App-ID is highly extensible, and we have added or updated application detection mechanisms to keep pace as applications have continued to evolve further.

Figure 1: How App-ID classifies traffic

Multi-Technique ClassificationUsing as many as four different techniques, App-ID identifies an application as soon as the traffic hits the firewall, irrespec-tive of port, protocol, encryption (TLS/SSL or SSH), or other evasive tactic. While the techniques and their order of execu-tion will vary by application, the general flow is as follows.

1. Application SignaturesSignatures look for unique application properties and re-lated transaction characteristics to correctly identify the

application regardless of its protocol and port. The signature also determines if the application is using its default or a nonstandard port (e.g., RDP on port 80 instead of its default port 3389). If the identified application is allowed by secu-rity policy, further analysis of the traffic is done to identify more granular applications as well as scan for threats.

2. TLS/SSL and SSH DecryptionIf App-ID determines that TLS/SSL encryption is in use, and you have a decryption policy in place, the traffic is de-crypted and passed to other identification mechanisms as needed. If you do not have such a policy in place, decryption is not employed. App-ID takes a similar approach with SSH to determine if port forwarding is in use as a means of tun-neling traffic over SSH. Such tunneled traffic is identified as “ssh-tunnel” and can be controlled via security policy.

3. Application and Protocol DecodingDecoders for known protocols are used to apply addition-al context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Slack® used across HTTP). Decoders validate that the traffic conforms to the protocol specification, and they provide support for network address translation (NAT) traversal and opening dynamic pinholes for applications such as voice over IP (VoIP) or File Transfer Protocol (FTP). De-coders for popular applications are used to identify the individual functions within the application as well (e.g., webex-file-sharing). In addition to identifying applica-tions, decoders identify files and other content that should be scanned for threats or sensitive data.

4. HeuristicsSome evasive applications (e.g., peer-to-peer file sharing or VoIP applications that use proprietary encryption) still cannot be detected and identified even through advanced signature and protocol analysis. In these situations, it is necessary to apply additional heuristic or behavioral anal-ysis to identify them. The actual heuristics used are spe-cific to the application and include checks based on things such as the packet length, packet source, and session rate.With App-ID as the foundational element of our security platform, your security team can regain visibility into, and control over, the applications traversing your network.

Dealing with Custom or Unknown Applications New applications are added to the App-ID database monthly, yet nearly every network will still have cases where unknown application traffic is detected. There are typically three cases where unknown traffic will be detected:• Unknown commercial applications: Using visibility tools,

you can quickly determine if unknown traffic is a commer-cial off-the-shelf (COTS) application. If so, you can capture and submit traffic packets to Palo Alto Networks for App-ID development. New App-IDs will be developed, tested, and added to the database for all users in a monthly update.

Start

Decode

Apply Heuristics

CheckSignatures

Check ApplicationSignature

CheckIP/Port

Known Protocol Decoder

Identified Traffic (No Decoding)

Unknown Protocol DecoderPO

LIC

Y C

HE

CK

PO

LIC

Y C

HE

CK

PO

LIC

YC

HE

CK

PO

LIC

YC

HE

CK

Decryption(SSL or SSH)

Report and Enforce Policy

3App-ID | Solution Brief

• Internal or custom applications: You can create a custom App-ID using a set of available protocol and application de-coders. Once the custom App-ID is developed, your internal application is classified and inspected just like applications with standard App-IDs. Custom App-IDs are managed in a separate database on the device, ensuring they are not im-pacted by the monthly (commercial) App-ID updates.

• Threats: Here too, you can quickly determine risk levels us-ing the behavioral botnet report or other forensics tools to isolate characteristics and apply appropriate policy control.

Even after attempts to identify, some traffic may remain un-known. Because our firewalls support a positive enforcement model, the remaining unknown traffic can be blocked (by default) or allowed but tightly controlled by policy if desired. Alternative offerings (e.g., intrusion prevention systems) are based on negative control and will allow unknown traffic to pass through without providing any visibility or control.

How App-ID Works: Identifying WebexWhen a user initiates a session with Cisco Webex®, the initial connection is an encrypted communication. With App-ID, the device sees the traffic, and the signatures determine that it is using TLS/SSL. The decryption engine and protocol decoders then decrypt the traffic and detect that it is HTTP traffic. Once the decoder has the HTTP stream, App-ID can apply contex-tual signatures and detect that the application in use is Webex. At this point, the session traffic becomes known as Webex traffic by the firewall. Visibility (through the Application Command Center [ACC] in the user interface) and control of the Webex traffic via security policy are enabled.

If an end user initiates Webex Desktop Sharing, App-ID will detect the shift from conferencing to remote access. Again, visibility to this specific function would be provided, and policy control over Webex Desktop Sharing—distinct from general Webex use—would be possible.

Application Identity: The Heart of Policy ControlIdentifying the application is the first step in learning more about the traffic traversing your network. Learning the appli-cation’s functions, ports, underlying technology, and behav-ioral characteristics is the next step toward being able to make a more informed decision about how to treat the application. Once you have a complete picture of usage, you can apply poli-cies with a range of responses, including, in any combination:• Allow or deny• Allow but scan for exploits, viruses, and other threats• Allow based on schedule, users, devices, groups, or dynamic

address groups (DAGs)• Control file or sensitive data transfer• Decrypt and inspect• Apply traffic shaping through quality of service (QoS)• Apply policy-based forwarding• Allow a subset of application functionsWith App-ID as the foundational element of Palo Alto Networks firewalls, you can restore visibility and control over the applications and traffic traversing your network.

Figure 2: Application Function Control to safely enable applications or individual functions (e.g., sharing, posting, downloading)

4App-ID | Solution Brief

Application Function-Level ControlsTo many customers, safe application enablement means strik-ing an appropriate security policy balance by enabling some application functions while blocking others. For example:• Allow Microsoft 365™ use with enterprise accounts/

documents, but block personal use of Microsoft 365 • Block Facebook mail, chat, posting, and apps, but allow

browsing of Facebook itself • Allow use of Webex, but disable file transfer• Allow file downloading but not uploading or sharing Using an application hierarchy that includes the base applica-tion and supporting functions, App-ID makes it easy for you to choose which applications to allow overall, while blocking or controlling functions within the application. Figure 2 shows different levels of application control within the security policy.

Controlling Multiple Applications: Dynamic Filters and GroupsIn some cases, you may want to control larger groups of ap-plications in bulk, rather than individually. App-ID supports two mechanisms that address this policy requirement.

Dynamic FiltersA dynamic filter is a set of applications that is created based on any combination of the filter criteria: predefined or custom tag, category, subcategory, behavioral characteristic, under-lying technology, or risk factor. Security policy (e.g., deny, allow, scan) can be applied to dynamic filters and enforced for application traffic that matches filter criteria.

As new App-IDs are introduced and delivered to the firewall via updates, dynamic filters are automatically updated for applications that meet filter criteria. This helps minimize administrative effort associated with security policy man-agement. Figure 3 shows a snapshot view of the Palo Alto Networks Application Research Center, a.k.a. Applipedia. Here, you can browse the database of App-IDs, including an interactive view of applications based on the same criteria that can be used in dynamic filters.

Application GroupsAn application group is defined as a static list of applications (e.g., a group of remote management applications, such as RDP, Telnet, and SSH). In a typical organization, each of these appli-cations is used by support and IT personnel, yet employees who fall outside of these groups are also known to use them to access their home networks. An application group can be created with an associated security policy that allows use only by support and IT personnel (supported by User-ID). As new employees join the organization, they need only be added to the appropriate group. No updates are needed to the security policy itself.

Expanding the List of ApplicationsWe expand the list of App-IDs monthly with 10 to 20 new applications typically added based on input from customers, partners, and market trends. When you find unidentified ap-plications on your network, you can request development of a new App-ID. Once it is developed and tested, we will add it to Applipedia in a monthly content update. For your homegrown or customized applications, you can create a custom App-ID using built-in tools.

Figure 3: Up-to-date application research and analysis available on Applipedia

3000 Tannery WaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087

www.paloaltonetworks.com

© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. parent_sb_app-id_042821

Move to App-ID-Based Rules with Policy OptimizerWe provide a free, built-in tool called Policy Optimizer, which provides a simple workflow to migrate your legacy security pol-icy rulebase to App-ID-based rules. Policy Optimizer identifies port-based rules so you can convert them to application-based rules that allow the traffic, or add applications to existing rules, without compromising application availability (see figure 4). It also identifies overprovisioned App- ID-based rules (i.e., those configured with unused applications). Policy Optimizer helps you prioritize which rules to migrate or clean up first, analyze rule usage characteristics such as hit count, and identify application-based rules that allow appli-cations you don’t use. (Removing unused applications from rules is a best practice that reduces the attack surface and keeps

your rulebase clean.) Additionally, Policy Optimizer helps you identify new applications recently seen in your network as well as resolve application dependencies and rule shadowing. It is a powerful tool that helps you keep your security policy clean and narrow, reducing the potential attack surface.

Summary App-ID is a powerful and differentiated core capability of Palo Alto Networks Next-Generation Firewalls, enabling advanced visibility and granular control of traffic in your network. With this visibility and control, you can evaluate what is tak-ing place in your environment, and then define policies that ensure appropriate use, reduce the attack surface, and stop threats. Ultimately, App-ID is a key foundational element in enabling superior risk management for your organization.

Figure 4: Policy Optimizer helps to convert port-based rules into application-based rules