app-id
- identifies apps
- rules can be created for specific apps not just ports
app-id traffic identification
- only known apps can traverse the firewall
- often only needs to examine one udp packet to identify the app
- requires more packets to identify apps that use tcp (3 way handshake is insufficient)
- if traffic is encrypted the firewall references the decryption policy to determine if the traffic should be allowed, blocked or decrypted and inspected
app-id identification technologies
- application signatures
- unknown protocol decoder
- known protocol decoder
- protocol decryption
application signatures
-database of signatures that is regularly updated
unknown protocol decoder
-heuristics engine that attempts to identify apps based on network behaviour
known protocol decoder
-decoders that understand the syntax and commands of common apps
protocol decryption
-ssl/tls decryption
app-id operation
- extract ip/port
- check security policy
- if traffic is allowed, it is processed by the unknown protocol decoder, known protocol decoder, or the decryption policy
- application signature
- check security policy
- allow or block
application shifts
-since security policy rules are examined for every packet, firewall can detect protocol changes within a session
application dependencies
-when creating a security policy to allow an app you must also allow its’ dependencies
application filters
- object that dynamically groups apps based on attributes selected from the app-id database
- used when creating rules based on match criteria instead of specific apps
app groups
-static admin defined set of apps that can be used to define a single policy for all of them
application block page
- notifies the user that their session is denied if they try to use a blocked web based application
- can be enabled or disabled
updating app-id
- app-id database is part of the application and threat content update packages
- it is best practice to schedule download and install of application and threat content updates automatically
- released on the third tuesday of each month
- review period for app-id updates can be scheduled for manual review
content-id
- combines real time threat prevention engine with policies to inspect and control content
- provides threat prevention and data loss prevention
- occurs after app-id
security profiles
- applied to all traffic with an allow action in the security policy rule
- represent additional checks that the allowed traffic must pass
- events related to security profiles are recorded in the firewall threat log
available security profiles
- vulnerability protection
- url filtering
- anti spyware
- antivirus
- file blocking
- data filtering
- wildfire analysis
- security profile group
vulnerability protection security profiles
- collections of vulnerability protection signatures grouped into rules
- grouped by type (client/server)
- grouped by severity (informational, low, medium, high, critical)
- custom profiles can be added
- exceptions allow legitimate network traffic that has triggered a false positive to pass
antivirus security profiles
- protects against common forms of viruses
- scans files and transmission channel protocols
- exceptions allow legitimate network traffic that has triggered a false positive to pass
anti spyware security profiles
- organized by severity (informational, low, medium, high, critical)
- exceptions allow legitimate network traffic that has triggered a false positive to pass
file blocking security profiles
- blocks prohibited and suspicious files from being downloaded or uploaded
- blocks based on file name extension and file contents
file blocking actions
- alert, logs and allows
- continue, logs and allows with user permission
- block, logs and blocks
data filtering security profiles
- patterns of data can be blocked
- useful for data loss prevention ex. credit card number
denial of service protection
- packet based
- mitigates layer 3 and 4 attacks designed to disrupt network operation
