Logs that match this filter will trigger an auto- "tagging" action. This filters through all of the traffic logs looking for entries that match the query: (app eq unknown-udp) and ((port.dst eq 31005) or (port.dst eq 1311) or (port.dst eq 53) or (port.dst eq 123)) This log forwarding profile leverages two new features in PAN-OS 8.0: Filtered Log Forwarding and Auto-Tagging. Next, we add a "log forwarding profile" to this security policy. This is one fingerprint I've been able to extract from a quick look at the logs. (see screenshots)Ĥ.) Automate the creation of an xvpn IP blocklist using PAN-OS 8.0 (this is how I was able to block it).Īt a very high level, here's the process: You permit unknown-udp traffic to destination ports 31005, 1311, 53, and 123. Block all of the xvpn servers based on those IPs. You can even export the report via CSV and easily manipulate the data to create this blocklist. That report will compile a list of xvpn server IP addresses that you can use to create an IP-based blocklist. This requires some legwork, collecting pcaps, looking for similarities between sessions, and then creating the pattern that looks for this app.ģ.) create a custom report that filters everything out except for unknown-udp traffic from your student network to the internet on UDP 31005/23. This seriously degrades the "user experience" for the app.Ģ.) look at creating a custom signature. You could follow a similar process if your students are using a different platform.ġ.) permit unknown-udp from your student network to the Internet, but apply a QoS policy/profile and rate-limit it to. I took this data from what I was able to glean from the iOS app for Apple devices. (I tried the last one and it's currently blocking the app, albiet in an unconventional way). The good news is that you don't have to wait until that happens. Long term, the right answer is to have Palo Alto Networks create an official application signature. You can also block the ports used by the app, but this is only best effort as VPN app will eventually get through different method. You may be contacted on the email provided for any clarification or details as required by app team.Īlternatively, you can create custom signature. This will trigger a issue ticket in our back-end for our application development team to work on.
#Does x vpn work how to#
(This doc also has procedure for creating custom-app-id and links to doc on how to create custom app signature) Since it is a public app, you can submit a request for new application from the research-center link provided in following doc. Or not enough packets are received to be identified as unknown.
If the traffic is allowed only through web-browsing on port 80 which is it's default port, unless you see a specific pattern or it trying to go to any URL, you will not be able to block it without an application for the app.Īpplication is identified as insufficient data when we do not have enough data to match to a known application, If not, try allowing ssl only on default port if that is not used. or wait for app to be created.ĭoes your environment use ssl traffic on non-standard ports like 80? We logged a support case for this and in the end it was a Feature Request.Īt the moment, you can either create custom appid or block any offending traffic ports, etc.
0 kommentar(er)
