Unknown Applications

Tech Note









Overview
Palo Alto Networks App-ID classification engine identifies traffic using a combination of
application decoders and application signatures. As of December 2013, App-ID supports over
1900 applications using this technique. However, due to a number of factors, including the
proliferation of new applications and the large number of internal custom applications, there will
be applications not supported by App-ID.

This document is intended to provide an overview of how to identify unknown applications on
your network and what to do once they have been identified.

Revision F 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com




Identifying Unknown Applications


When a Palo Alto Networks device is not able to identify an application using App-ID, the
traffic will be classified as unknowneither unknown-tcp, unknown-udp, or non-syn-tcp.
One exception occurs when applications fully emulate HTTP, such as Rearden (a business
SaaS application). In this case, the traffic will be classified as web-browsing.
There are three primary ways to view unknown applications using the web interface of the
Palo Alto Networks devices.
1. Application Command Center (ACC): Unknown applications will be sorted with
all other applications in the ACC. You can click on the unknown application to
drill into the details of the application as well to see top sources and destinations.







2. Unknown application reports: Once/day, unknown application reports are
automatically run and stored in the reports section of the monitor tab. These

2014, Palo Alto Networks, Inc. [2]




reports can provide useful information for identifying unknown applications. For
example, if the unknown TCP report shows 2 static IP addresses communicating
back and forth on the same ports with the same amount of sessions and bytes,
doesnt look like an evasive application and may be a result of a custom client-server
application.




3. Detailed traffic logs: Sometimes it is easiest to use the detailed traffic logs to track
down a specific unknown application. Especially if logging is enabled to log start of
session and end of session, the traffic log will provide specific information about the
start and end of an unknown session. Using the filter option, filter for unknown-
tcp. Below is a sample view of a traffic log filtering for unknown-tcp:

Detailed traffic logs are helpful especially because you are able to sort based on any of
the information displayed on the log, like narrowing down on a specific source or
destination along with port and protocol to find specific patterns in communication
between hosts.













2014, Palo Alto Networks, Inc. [3]




Actions to Take With Unknown Apps
There are essentially two actions that can be taken with unknown applications in order to
appropriately deal with them, custom application definition with application override or
requesting an App-ID from Palo Alto Networks. Please remember that policy can be set to
control unknown applicationsboth by unknown TCP, unknown UDP, as well as by a
combination of source zone, destination zone, and IP addresses.

Custom application definition with application override: Because the App-ID engine in PAN-OS
classifies traffic by identifying the application-specific content in network traffic, the custom
application definition cannot simply specify a port # as an application. Imagine setting port 80
as Custom-CRM. All traffic on port 80 would then be Custom-CRM which is certainly not
the case on a global basis. Instead, the application definition needs to also include a restricted
set of trafficrestricted by source zone, source IP address, destination zone, and destination IP
address. This allows the Custom-CRM to be defined as TCP/80 to/from IP address
10.0.0.2/32. All other TCP port 80 traffic will still go through the App-ID classification engine.

There are two steps to creating a custom app:

1. Define the custom application, specifying the name, category, protocol/port numbers, and
timeout values.

2. Define an application override policy that specifies when the custom application should
be invoked. Typically, this would be specified by the IP address of the server running the
custom application, but could also include a restricted set of source IP addresses or a
source zone.

Requesting an App-ID from Palo Alto Networks: When an application needs to be identified
using the content of the app instead of port, protocol, and IP address, an application can be
submitted to Palo Alto Networks for classification. This is especially important for applications
that run over the Internet and the above custom application definition wont work. There are
two ways to submit an application to Palo Alto Networks.

1. If the application is easily accessible on the internet, such as an instant messaging
application, then the name of the application and the URL can be submitted to your
account team or you can submit directly on the Application Research Center site
using the following link: http://researchcenter.paloaltonetworks.com/submit-an-application/

2. If the application is not easily accessible, such as a CRM application, then you need to
submit a PCAP (packet capture) of the application running. This can be achieved using
the session packet capture function built into the device. Follow these steps to capture the
session for submission to your Palo Alto Networks account team:

a. From the CLI, use the command: set application dump on application <name>

2014, Palo Alto Networks, Inc. [4]






b. Once the application traffic is detected, you can pull the packet capture off from
the Web UI by clicking on Monitor > Logs > Traffic.

c. Find the traffic log by filtering for unknown applications, source/destination IP, or
user.

d. Once you have found the traffic log, the first column from the left hand side should
show a green arrow pointing down. The green arrow means that the session traffic
has been captured. Click on the green arrow to save or open the packet capture.



Summary
Palo Alto Networks releases a new App-ID update every week, which typically includes about 5- 10
new applications. The input and prioritization of application comes from a number of sources, but the
most important is from our customers. In most cases, a submitted application from a customer can be
included in the following weeks App-ID update. If you have an application that is not currently
covered, we invite you to visit the Application Research Center
(http://researchcenter.paloaltonetworks.com/) and enter it under the Submit an Application section.


2014, Palo Alto Networks, Inc. [5]




Revision History
Date Revision Comment
January 30, 2014 F Updated several screenshot to improve the examples.
December 20, 2013 E Updated to state that now over 1900 applications can be
identified and also updated screen captures.
October 4, 2013 D The Application Research Center link changed, so updated the
link mentioned in the Requesting an App-ID from Palo Alto
Networks section and the Summary section.


2014, Palo Alto Networks, Inc. [6]