topic Re: Application Signatures? in General Topics

Application Signatures?

Mike_Schepers — Tue, 22 May 2018 19:23:39 GMT

I am attempting to create a signature for an Aruba VPN application to use with my Checkpoint App/URL filter. I see the application ID within my log files (appears to be consistent) and have found a Checkpoint tools called Application Control Signature Tool (ACST) that can be used to create customer application signatures and import them. However, the information that is being requested by ACST to build this signature is a little above my knowledge level.

Has anyone within this community used ACST to develop a signature for Aruba VPN (application ID 2042272525)?

Does anyone have experience using ACST that could offer some examples to help?

ACST Admin Guide: http://dl3.checkpoint.com/paid/7d/7dc39df4c4c93fcba550b9f2d22768d9/CP_ApplicationControlSignatureTool_AdminGuide.pdf?Has…

ACST Download: Signature Tool for custom Application Control and URL Filtering applications

Many Thanks!

Mike

Re: Application Signatures?

PhoneBoy — Wed, 23 May 2018 08:19:05 GMT

It’s possible the ACST isn’t the right answer here for your traffic.

We may be able to create a signature for this, please contact the TAC.

Contact Support | Check Point Software

Re: Application Signatures?

Mike_Schepers — Wed, 23 May 2018 10:47:56 GMT

Hello Dameon,

I had originally opened a TAC case (3-0234333211) and that is how I found out about ACST; perhaps the tech assigned to my case was not aware that TAC could help create a signature? Should I escalate the case or open another with some different information that could help me get to the proper engineering team?

Thanks,

Mike

Re: Application Signatures?

PhoneBoy — Wed, 23 May 2018 22:48:09 GMT

In some cases R&D needs to create the signature.

Did you provide packet captures as part of the SR?

Re: Application Signatures?

Mike_Schepers — Wed, 23 May 2018 23:01:45 GMT

No, I did not provide a packet capture… because the support engineer did not request one. Do you know what specifically I need to capture, and whether this needs to be done at the client PC, my firewall (which is the security perimeter gateway), or the far end VPN termination point? If the packet capture needs to be performed at my security gateway firewall, does this mean that I need to have HTTPS inspection enabled on my firewall?

Re: Application Signatures?

PhoneBoy — Thu, 24 May 2018 05:03:29 GMT

I think it may be sufficient to do this from the gateway only.

HTTPS Inspection shouldn't need to be enabled.

Re: Application Signatures?

Mike_Schepers — Thu, 24 May 2018 10:24:35 GMT

Thank you. I will open a new TAC case and start this process.

Re: Application Signatures?

PhoneBoy — Mon, 11 Jun 2018 16:25:30 GMT

Just to follow up, I checked with R&D and ACST is definitely not the right tool for the job here.

It's something we will likely have to create and the right approach is to open a TAC case as you've done.

If you hit a roadblock with TAC, please contact me privately.

Re: Application Signatures?

Vincent_Bacher — Mon, 11 Jun 2018 19:19:16 GMT

btw: it's getting time that https inspection policy supports applications created by acst.

Re: Application Signatures?

BrunoCiongoli — Mon, 23 Jan 2023 20:32:47 GMT

Hello mates, I hope all is well

I have the same problem with a vpn application,that connect to different server around the world.

The applications are itop VPN and radmin VPN and I want to block this traffic specifically

What should we do? Should I oped a TAC case or use this tool?

Thanks in advance

Re: Application Signatures?

PhoneBoy — Tue, 24 Jan 2023 04:18:42 GMT

Without knowing precisely how the applications work, I recommend engaging the TAC.