Objects > Applications
The following topics describe the Applications page.
What do you want to know? See:
Understand the application settings and attributes displayed on the Applications page. Applications Overview
Actions Supported on Applications
Add a new application or modify an existing application. Defining Applications
Applications Overview
The Applications page lists various attributes of each application definition, such as the application’s relative security risk (1 to 5). The risk value is based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls. Higher values indicate higher risk.
The top application browser area of the page lists the attributes that you can use to filter the display as follows. The number to the left of each entry represents the total number of applications with that attribute.
Weekly content releases periodically include new decoders and contexts for which you can develop signatures.
The following table describes application details—custom applications and Palo Alto Networks applications might display some or all of these fields.
Application Detail Description
Name Name of the application.
Description Description of the application (up to 255 characters).
Additional Information Links to web sources (Wikipedia, Google, and Yahoo!) that contain additional information about the application.
Standard Ports Ports that the application uses to communicate with the network.
Depends on List of other applications that are required for this application to run. When creating a policy rule to allow the selected application, you must also be sure that you are allowing any other applications that the application depends on.
Implicitly Uses Other applications that the selected application depends on but that you do not need to add to your Security policy rules to allow the selected application because those applications are supported implicitly.
Previously Identified As For new App-IDs, or App-IDs that have been changed, this indicates what the application was previously identified as. This helps you assess whether policy changes are required based on changes in the application. If an App-ID is disabled, sessions associated with that application will match policy as the previously identified as application. Similarly, disabled App-IDs will appear in logs as the application they were previous identified as.
Deny Action App-IDs are developed with a default deny action that dictates how the firewall responds when the application is included in a Security policy rule with a deny action. The default deny action can specify either a silent drop or a TCP reset. You can override this default action in Security policy.
Characteristics
Evasive Uses a port or protocol for something other than its originally intended purpose with the hope that it will traverse a firewall.
Excessive Bandwidth Consumes at least 1 Mbps on a regular basis through normal use.
Prone to Misuse Often used for nefarious purposes or is easily set up to expose more than the user intended.
SaaS On the firewall, Software as a Service (SaaS) is characterized as a service where the software and infrastructure are owned and managed by the application service provider but where you retain full control of the data, including who can create, access, share, and transfer the data. Keep in mind that in the context of how an application is characterized, SaaS applications differ from web services. Web services are hosted applications where either the user doesn’t own the data (for example, Pandora) or where the service is primarily comprised of sharing data fed by many subscribers for social purposes (for example, LinkedIn, Twitter, or Facebook).
Capable of File Transfer Has the capability to transfer a file from one system to another over a network.
Tunnels Other Applications Is able to transport other applications inside its protocol.
Used by Malware Malware has been known to use the application for propagation, attack, or data theft, or is distributed with malware.
Has Known Vulnerabilities Has publicly reported vulnerabilities.
Widely used Likely has more than 1,000,000 users.
Continue Scanning for Other Applications Instructs the firewall to continue to try and match against other application signatures. If you do not select this option, the firewall stops looking for additional application matches after the first matching signature.
Classification
Category The application category will be one of the following: business-systems collaboration general-internet media networking unknown
Subcategory The subcategory in which the application is classified. Different categories have different subcategories associated with them. For example, subcategories in the collaboration category include email, file-sharing, instant-messaging, Internet-conferencing, social-business, social-networking, voip-video, and web-posting. Whereas, subcategories in the business-systems category include auth-service, database, erp-crm, general-business, management, office-programs, software-update, and storage-backup.
Technology The application technology will be one of the following: client-server—An application that uses a client-server model where one or more clients communicate with a server in the network. network-protocol—An application that is generally used for system-to-system communication that facilitates network operation. This includes most of the IP protocols. peer-to-peer—An application that communicates directly with other clients to transfer information instead of relying on a central server to facilitate the communication. browser-based—An application that relies on a web browser to function.
Risk Assigned risk of the application. To customize this setting, click the Customize link, enter a value (1-5), and click OK.
Options
Session Timeout Period of time, in seconds, required for the application to time out due to inactivity (range is 1-604800 seconds). This timeout is for protocols other than TCP or UDP. For TCP and UDP, refer to the next rows in this table. To customize this setting, click the Customize link, enter a value, and click OK.
TCP Timeout (seconds) Timeout, in seconds, for terminating a TCP application flow (range is 1-604800). To customize this setting, click the Customize link, enter a value, and click OK. A value of 0 indicates that the global session timer will be used, which is 3600 seconds for TCP.
UDP Timeout (seconds) Timeout, in seconds, for terminating a UDP application flow (range is 1-604800 seconds). To customize this setting, click the Customize link, enter a value, and click OK.
TCP Half Closed (seconds) Maximum length of time, in seconds, that a session remains in the session table between receiving the first FIN packet and receiving the second FIN packet or RST packet. If the timer expires, the session is closed (range is 1-604800). Default: If this timer is not configured at the application level, the global setting is used. If this value is configured at the application level, it overrides the global TCP Half Closed setting.
TCP Time Wait (seconds) Maximum length of time, in seconds, that a session remains in the session table after receiving the second FIN packet or a RST packet. If the timer expires, the session is closed (range is 1-600). Default: If this timer is not configured at the application level, the global setting is used. If this value is configured at the application level, it overrides the global TCP Time Wait setting.
App-ID Enabled Indicates whether the App-ID is enabled or disabled. If an App-ID is disabled, traffic for that application will be treated as the Previously Identified As App-ID in both Security policy and in logs. For applications added after content release version 490, you have the ability to disable them while you review the policy impact of the new app. After reviewing policy, you may choose to enable the App-ID. You also have the ability to disable an application that you have previously enabled. On a multi-vsys firewall, you can disable App-IDs separately in each virtual system.
When the firewall is not able to identify an application using the App-ID, the traffic is classified as unknown (unknown-tcp or unknown-udp). This behavior applies to all unknown applications except those that fully emulate HTTP. For more information, refer to Monitor > Botnet.
You can create new definitions for unknown applications and then define security policies for the new application definitions. In addition, applications that require the same security settings can be combined into application groups to simplify the creation of security policies.
Actions Supported on Applications
You can perform any of the following actions on the Applications page.
Action Supported for Applications Description
Filter by application To search for a specific application, enter the application name or description in the Search field and press Enter. The drop-down to the right of the search box allows you to search or filter for a specific application or view All applications, Custom applications, Disabled applications, or Tagged applications. The application is listed and the filter columns are updated to show statistics for the applications that matched the search. A search will match partial strings. When you define security policies, you can write rules that apply to all applications that match a saved filter. Such rules are dynamically updated when a new application is added through a content update that matches the filter. To filter by application attributes displayed on the page; click an item that you want to use as a basis for filtering. For example, to restrict the list to the collaboration category, click collaboration and the list will only show applications in this category.
To filter on additional columns, select an entry in the other columns. The filtering is successive. First, the Category filters are applied, then the Subcategory filters, then Technology filters, then Risk filters, and finally Characteristic filters. For example, if you apply a Category, Subcategory, and Risk filter, the Technology column is automatically restricted to the technologies that are consistent with the selected Category and Subcategory, even though a Technology filter has not been explicitly applied. Each time you apply a filter, the list of applications in the lower part of the page automatically updates. To create a new application filter, see Objects > Application Filters.
Add a new application. To add a new application, see Defining Applications.
View and/or customize application details. Click the application name link, to view the application description including the standard port and characteristics of the application, risk among other details. For details on the application settings, see Defining Applications. If the icon to the left of the application name has a yellow pencil ( ), the application is a custom application.
Disable an applications You can Disable an application (or several applications) so that the application signature is not matched against traffic. Security rules defined to block, allow, or enforce a matching application are not applied to the application traffic when the app is disabled. You might choose to disable an application that is included with a new content release version because policy enforcement for the application might change when the application is uniquely identified. For example, an application that is identified as web-browsing traffic is allowed by the firewall prior to a new content version installation; after installing the content update, the uniquely identified application no longer matches the Security rule that allows web-browsing traffic. In this case, you could choose to disable the application so that traffic matched to the application signature continues to be classified as web-browsing traffic and is allowed.
Enable an application Select a disabled application and Enable the application so that it can be enforced according to your configured security policies.
Import an application To import an application, click Import. Browse to select the file, and select the target virtual system from the Destination drop-down.
Export an application To export an application, select this option for the application and click Export. Follow the prompts to save the file.
Assess policy impact after installing a new content release. Review Policies to assess the policy-based enforcement for applications before and after installing a content release version. Use the Policy Review dialog to review policy impact for new applications included in a downloaded content release version. The Policy Review dialog allows you to add or remove a pending application (an application that is downloaded with a content release version but is not installed on the firewall) to or from an existing Security policy; policy changes for pending applications do not take effect until the corresponding content release version is installed. You can also access the Policy Review dialog when downloading and installing content release versions on the Device > Dynamic Updates page.
Tag an application. A predefined tag named sanctioned is available for you to tag SaaS applications. While a SaaS application is an application that is identified as Saas=yes in the details on application characteristics, you can use the sanctioned tag on any application. Select an application, click Tag Application, and, from the drop-down, select the predefined Sanctioned tag to identify any application that you want to explicitly allow on your network. When you then generate the SaaS Application Usage Report (see Monitor > PDF Reports > SaaS Application Usage), you can compare statistics on the application that you have sanctioned versus unsanctioned SaaS applications that are being used on your network. When you tag an application as sanctioned, the following restrictions apply: The sanctioned tag cannot be applied to an application group. The sanctioned tag cannot be applied at the Shared level; you can tag an application only per device group or per virtual system. The sanctioned tag cannot be used to tag applications included in a container app, such as facebook-mail, which is part of the facebook container app. You can also Remove tag or Override tag. The override option is only available on a firewall that has inherited settings from a device group pushed from Panorama.
Defining Applications
Select Objects > Applications to Add a new custom application for the firewall to evaluate when applying policies.
New Application Setting Description
Configuration Tab
Name Enter the application name (up to 31 characters). This name appears in the applications list when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, periods, hyphens, and underscores. The first character must be a letter.
Shared Select this option if you want the application to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the application will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the application will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the application in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Description Enter a description of the application for general reference (up to 255 characters).
Category Select the application category, such as email or database. The category is used to generate the Top Ten Application Categories chart and is available for filtering (refer to ACC).
Subcategory Select the application subcategory, such as email or database. The subcategory is used to generate the Top Ten Application Categories chart and is available for filtering (refer to ACC).
Technology Select the technology for the application.
Parent App Specify a parent application for this application. This setting applies when a session matches both the parent and the custom applications; however, the custom application is reported because it is more specific.
Risk Select the risk level associated with this application (1=lowest to 5=highest).
Characteristics Select the application characteristics that may place the application at risk. For a description of each characteristic, refer to Characteristics.
Advanced Tab
Port If the protocol used by the application is TCP and/or UDP, select Port and enter one or more combinations of the protocol and port number (one entry per line). The general format is <protocol>/<port> where the <port> is a single port number, or dynamic for dynamic port assignment. Examples: TCP/dynamic or UDP/32. This setting applies when using app-default in the Service column of a Security rule.
IP Protocol To specify an IP protocol other than TCP or UDP, select IP Protocol, and enter the protocol number (1 to 255).
ICMP Type To specify an Internet Control Message Protocol version 4 (ICMP) type, select ICMP Type and enter the type number (range is 0-255).
ICMP6 Type To specify an Internet Control Message Protocol version 6 (ICMPv6) type, select ICMP6 Type and enter the type number (range is 0-255).
None To specify signatures independent of protocol, select None.
Timeout Enter the number of seconds before an idle application flow is terminated (range is 0-604800 seconds). A zero indicates that the default timeout of the application will be used. This value is used for protocols other than TCP and UDP in all cases and for TCP and UDP timeouts when the TCP timeout and UDP timeout are not specified.
TCP Timeout Enter the number of seconds before an idle TCP application flow is terminated (range is 0-604800 seconds). A zero indicates that the default timeout of the application will be used.
UDP Timeout Enter the number of seconds before an idle UDP application flow is terminated (range is 0-604800 seconds). A zero indicates that the default timeout of the application will be used.
TCP Half Closed Enter the maximum length of time that a session remains in the session table, between receiving the first FIN and receiving the second FIN or RST. If the timer expires, the session is closed. Default: If this timer is not configured at the application level, the global setting is used (range is 1-604800 seconds). If this value is configured at the application level, it overrides the global TCP Half Closed setting.
TCP Time Wait Enter the maximum length of time that a session remains in the session table after receiving the second FIN or a RST. If the timer expires, the session is closed. Default: If this timer is not configured at the application level, the global setting is used (range is 1-600 seconds). If this value is configured at the application level, it overrides the global TCP Time Wait setting.
Scanning Select the scanning types that you want to allow based on Security Profiles (file types, data patterns, and viruses).
Signature Tab
Signatures Click Add to add a new signature, and specify the following information: Signature Name —Enter a name to identify the signature. Comment —Enter an optional description. Scope —Select whether to apply this signature only to the current Transaction or to the full user Session. Ordered Condition Match —Select if the order in which signature conditions are defined is important. Specify the conditions that identify the signature. These conditions are used to generate the signature that the firewall uses to match the application patterns and control traffic: To add a condition, select Add AND Condition or Add OR Condition. To add a condition within a group, select the group and then click Add Condition. Select an Operator from the drop-down. The options are Pattern Match, Greater Than, Less Than, and Equal To and specify the following options: For Pattern Match only: Context —Select from the available contexts. These contexts are updated using dynamic content updates. Pattern — Specify a regular expression to specify unique string context values that apply to the custom application. As a best practice, perform a packet capture to identify the context. See Pattern Rules Syntax for pattern rules for regular expressions. For Greater Than, Less Than only: Context —Select from the available contexts. These contexts are updated using dynamic content updates Value —Specify a value to match on (range is 0-4294967295). Qualifier and Value —(Optional) Add qualifier/value pairs. For Equal To only: Context —Select from unknown requests and responses for TCP or UDP (for example, unknown-req-tcp)or additional contexts that are available through dynamic content updates (for example, dnp3-req-func-code). For unknown requests and responses for TCP or UDP, specify Position —Select between the first four or second four bytes in the payload. Mask —Specify a 4-byte hex value, for example, 0xffffff00. Value —Specify a 4-byte hex value, for example, 0xaabbccdd. For all other contexts, specify a Value that is pertinent to the application. To move a condition within a group, select the condition and Move Up or Move Down. To move a group, select the group and Move Up or Move Down. You cannot move conditions from one group to another.
It is not required to specify signatures for the application if the application is used only for application override rules.

Related Documentation