At 17:18, the DNS traffic was allowed. As DNS is is UDP (in most cases) there's no FIN thus I suspect that is why it was aged-out. The "in-Out" policy to start with is wide open as long as the app is using default ports that traffic was good to go. Once you updated it to support only facebook, yup that killed any traffic other than facebook. The demo you were showing that DNS traffic should have landed on the interzone-default and thus that is where it would have been denied (not that it was aged out). Yes, adding DNS back to the appid and using application default fixed it. Keep your demo's up!
Nice video dear, I want to know about custom app ID filtering.. how to block get, and post base requests for private app which are not included in Palo Alto app id.
Can u please help me to sort out my query: We currently do not do traffic decryption on the firewall for deep packet inspection. Can we safely consider converting eligible rules to application based rules even though we don't do any traffic decryption on the perimeter firewall? My concern is that since we don't decrypt traffic on the perimeter firewall we will not be able to accurately identify application traffic.
Hi Sai, Good Question, Firewall can only assume based on the information which is not encrypted like port number (if it is 443 then https, it can't recognize facebook-chat or facebook-video)
Hi bro, APP-ID can block facebook-chat,facebook-video and etc. How does App-id knew these traffic is chat traffic, video traffic. In SSL/TLS , a connection between client and server is secured(encrypted) ?. How firewall can know if the traffice is secured ? ....
Could you please explain how to block&unblock subtabs like facebook-chat. I did understand how the PA identify it, however I could see the way to block subtabs... thank you for your help
PA can block the tls traffic based on SNI in client hello packet or Common name field in certificate exchanged in server hello packet in case sni is not supported by web server.So my question is facebook is allowed and is encrypted .But if anyone try to access facebook chat ,since application data is fully encrypted so how firewall can know without ssl decryption just on sni or cn field ?
@@BikashsTech webserver are configured to support this "sni" feature specially useful for shared hosting website where multiple TLS server are running with different domain on a single public ip. Facebook support sni .But my question is that in TLS client hello Facebook .com will be as sni .once encrypted even firewall cannot see inside the packet until some sort of decryption is not performed at pa level.so how app id will work just on sni basis to identify chat app in facebook
Hello Friends, Please Comment what you have learnt from this video. Share, Support, Subscribe!!!
Patron : www.patreon.com/Bikashtech
Subscribe: bit.ly/3eFwHiy
RUclips: ruclips.net/user/BikashsTech
Twitter: twitter.com/Bikashshaw82
Facebook: facebook.com/people/Bikash-Kumar-Shaw/100003333695682
Instagram: instagram.com/bikashtech/
Appreciate your efforts for video tutorials!
Please make videos on palo Alto troubleshooting like IPSEC,SSL VPN etc
At 17:18, the DNS traffic was allowed. As DNS is is UDP (in most cases) there's no FIN thus I suspect that is why it was aged-out. The "in-Out" policy to start with is wide open as long as the app is using default ports that traffic was good to go. Once you updated it to support only facebook, yup that killed any traffic other than facebook. The demo you were showing that DNS traffic should have landed on the interzone-default and thus that is where it would have been denied (not that it was aged out). Yes, adding DNS back to the appid and using application default fixed it. Keep your demo's up!
Hey Ryan, so does UDP traffic always show "aged-out" when being blocked by security policy?
@@MofistagoMofarde if it’s blocked no session should be created.
Great Bro you tought us in simple way
Great video to understand APP-ID of PA
Excellent💐
Hi Sir,
as we saw , google site was not opening, so can't add google application too in security policy as we did for facebook?
Nice video dear, I want to know about custom app ID filtering.. how to block get, and post base requests for private app which are not included in Palo Alto app id.
brillant.....can u share some interview Q&A for PA FW ?
Excellent keep doing
Can you please upload a troubleshooting video
please make one video for packet flow
Very good sir..
Bikash, how do you install pa-vm on eve-ng?
Hellow sir nice video
Sir last me aapne solution nhi bataya.
Please sir answer
Can u please help me to sort out my query:
We currently do not do traffic decryption on the firewall for deep packet inspection. Can we safely consider converting eligible rules to application based rules even though we don't do any traffic decryption on the perimeter firewall? My concern is that since we don't decrypt traffic on the perimeter firewall we will not be able to accurately identify application traffic.
Hi Sai,
Good Question,
Firewall can only assume based on the information which is not encrypted like port number (if it is 443 then https, it can't recognize facebook-chat or facebook-video)
Hi bro, APP-ID can block facebook-chat,facebook-video and etc. How does App-id knew these traffic is chat traffic, video traffic. In SSL/TLS , a connection between client and server is secured(encrypted) ?. How firewall can know if the traffice is secured ? ....
for encrypted traffic, Palo-alto uses SSL decryption to decrypt the encrypted traffic and re-encrypt
Awesome
Could you please explain how to block&unblock subtabs like facebook-chat. I did understand how the PA identify it, however I could see the way to block subtabs... thank you for your help
When come migration Checkpoint to Paloalto
PA can block the tls traffic based on SNI in client hello packet or Common name field in certificate exchanged in server hello packet in case sni is not supported by web server.So my question is facebook is allowed and is encrypted .But if anyone try to access facebook chat ,since application data is fully encrypted so how firewall can know without ssl decryption just on sni or cn field ?
Hello Deepak,
Want to know more about question.
Which server will not aupport SNI, is it Facebook?
@@BikashsTech webserver are configured to support this "sni" feature specially useful for shared hosting website where multiple TLS server are running with different domain on a single public ip. Facebook support sni .But my question is that in TLS client hello Facebook .com will be as sni .once encrypted even firewall cannot see inside the packet until some sort of decryption is not performed at pa level.so how app id will work just on sni basis to identify chat app in facebook
What is the difference between FQDN and URL
Hi Prasath,
For Easy understanding
FQDN : Name of the server
URL : Path to get the file (file location)
How to create custom app id
Can you make it hindi.
How can I block mobile Facebook application in PA220