During a recent conversion from an ASA, a client had some database connections that required extremely long (6 hours!) timeouts for their application to function. Palo Alto will allow you to customize TCP Timeouts based on the application signature, but not based on source/destination. This traffic in particular was an Oracle database connection, and not the only Oracle database going through the firewall. Obviously, setting the timeout to 6 hours for all our database connections is probably not a great idea. So the solution is to create a custom Application ID.
Creating a custom Application ID from scratch is a pretty arduous task, involving packet captures and a lot of guess and check work. Instead, since we know this traffic is from specific sources to specific destinations on specific ports, we can just use Application Override with a bogus custom Application ID. For this example, here is the scenario:
- Source Server: 192.168.20.20
- Destination Server: 192.168.30.20
- Destination Port: tcp/1520
Creating the Custom Application ID
To begin, we’ll create a bogus custom Application ID, that is, an Application ID with totally invalid signatures so it won’t accidentally match some other traffic. Here’s the process.
- Navigate to Objects > Applications then click Add.
- On the Configuration Tab, fill in the Name, Category, Subcategory, and Technology. These can be whatever you want.
- On the Advanced tab, fill in the relevant Timeout Fields information, in our case 21600 seconds (or 6 hours).
- For the signatures I chose to use a combination of email-headers, and oracle-req-data-text for my contexts, I can think of any situation where these could possibly match. For the Pattern on each, I just smashed my keyboard a bit. On the Signature tab, click Add And Condition.
- Click OK, then repeat the process for the second condition.
- Your Signature tab should look something like this.
Creating the Application Override Rule
Now that we have a custom Application ID, we can create our Application Override rule to enforce the custom timeout.
- Navigate to Policies > Application Override, then click Add.
- On the General tab, fill in a name for your rule, and any other details you want.
- On the Source tab, we’ll fill in our source of 192.168.20.20.
- On the Destination tab, we’ll fill in our destination of 192.168.30.20.
- On the Protocol/Application tab, select TCP, fill in 1520 for the Port, and select our custom app-id for the Application.
The final step would be to create an access rule to allow your custom app-id. After that you should see traffic in your monitoring tab being successfully ID’ed as your new custom signature and getting the appropriate timeout assigned.