AnsweredAssumed Answered

Application Signatures?

Question asked by Mike Schepers on May 22, 2018
Latest reply on Jun 11, 2018 by Vincent Bacher

Like • Show 2 Likes2
Comment • 8

I am attempting to create a signature for an Aruba VPN application to use with my Checkpoint App/URL filter. I see the application ID within my log files (appears to be consistent) and have found a Checkpoint tools called Application Control Signature Tool (ACST) that can be used to create customer application signatures and import them. However, the information that is being requested by ACST to build this signature is a little above my knowledge level.

Has anyone within this community used ACST to develop a signature for Aruba VPN (application ID 2042272525)?

Does anyone have experience using ACST that could offer some examples to help?

ACST Admin Guide: http://dl3.checkpoint.com/paid/7d/7dc39df4c4c93fcba550b9f2d22768d9/CP_ApplicationControlSignatureTool_AdminGuide.pdf?Has…

ACST Download: Signature Tool for custom Application Control and URL Filtering applications

Many Thanks!

Mike

No one else has this question

Outcomes

Dameon Welch-Abernathy

May 23, 2018 1:19 AM

It’s possible the ACST isn’t the right answer here for your traffic.

We may be able to create a signature for this, please contact the TAC.

Contact Support | Check Point Software

Actions

Mike Schepers @ Dameon Welch-Abernathy on May 23, 2018 4:39 AM

Hello Dameon,

I had originally opened a TAC case (3-0234333211) and that is how I found out about ACST; perhaps the tech assigned to my case was not aware that TAC could help create a signature? Should I escalate the case or open another with some different information that could help me get to the proper engineering team?

Thanks,

Mike

Actions

Dameon Welch-Abernathy

@ Mike Schepers on May 23, 2018 3:48 PM

In some cases R&D needs to create the signature.

Did you provide packet captures as part of the SR?

Actions

Mike Schepers @ Dameon Welch-Abernathy on May 23, 2018 10:01 PM

No, I did not provide a packet capture… because the support engineer did not request one. Do you know what specifically I need to capture, and whether this needs to be done at the client PC, my firewall (which is the security perimeter gateway), or the far end VPN termination point? If the packet capture needs to be performed at my security gateway firewall, does this mean that I need to have HTTPS inspection enabled on my firewall?

Actions

Dameon Welch-Abernathy

@ Mike Schepers on May 23, 2018 10:03 PM

I think it may be sufficient to do this from the gateway only.

HTTPS Inspection shouldn't need to be enabled.

Actions

Mike Schepers @ Dameon Welch-Abernathy on Jun 11, 2018 9:17 AM

Thank you. I will open a new TAC case and start this process.

Actions

Dameon Welch-Abernathy

@ Mike Schepers on Jun 11, 2018 9:25 AM

Just to follow up, I checked with R&D and ACST is definitely not the right tool for the job here.

It's something we will likely have to create and the right approach is to open a TAC case as you've done.

If you hit a roadblock with TAC, please contact me privately.

Actions

Vincent Bacher @ Dameon Welch-Abernathy on Jun 11, 2018 12:19 PM

btw: it's getting time that https inspection policy supports applications created by acst.

Actions

8 Replies

Dameon Welch-Abernathy May 23, 2018 1:19 AM
Mark Correct
Correct Answer
It’s possible the ACST isn’t the right answer here for your traffic.
We may be able to create a signature for this, please contact the TAC.
Contact Support | Check Point Software
Like • Show 0 Likes0
Actions
- Mike Schepers @ Dameon Welch-Abernathy on May 23, 2018 4:39 AM
  Mark Correct
  Correct Answer
  Hello Dameon,
  
  I had originally opened a TAC case (3-0234333211) and that is how I found out about ACST; perhaps the tech assigned to my case was not aware that TAC could help create a signature? Should I escalate the case or open another with some different information that could help me get to the proper engineering team?
  
  Thanks,
  Mike
  Like • Show 0 Likes0
  Actions
  - Dameon Welch-Abernathy @ Mike Schepers on May 23, 2018 3:48 PM
    Mark Correct
    Correct Answer
    In some cases R&D needs to create the signature.
    Did you provide packet captures as part of the SR?
    Like • Show 0 Likes0
    Actions
    - Mike Schepers @ Dameon Welch-Abernathy on May 23, 2018 10:01 PM
      Mark Correct
      Correct Answer
      No, I did not provide a packet capture… because the support engineer did not request one. Do you know what specifically I need to capture, and whether this needs to be done at the client PC, my firewall (which is the security perimeter gateway), or the far end VPN termination point? If the packet capture needs to be performed at my security gateway firewall, does this mean that I need to have HTTPS inspection enabled on my firewall?
      Like • Show 0 Likes0
      Actions
      - Dameon Welch-Abernathy @ Mike Schepers on May 23, 2018 10:03 PM
        Mark Correct
        Correct Answer
        I think it may be sufficient to do this from the gateway only.
        HTTPS Inspection shouldn't need to be enabled.
        Like • Show 0 Likes0
        Actions
        Mike Schepers @ Dameon Welch-Abernathy on Jun 11, 2018 9:17 AM
        Mark Correct
        Correct Answer
        Thank you. I will open a new TAC case and start this process.
        Like • Show 0 Likes0
        Actions
        Dameon Welch-Abernathy @ Mike Schepers on Jun 11, 2018 9:25 AM
        Mark Correct
        Correct Answer
        Just to follow up, I checked with R&D and ACST is definitely not the right tool for the job here.
        It's something we will likely have to create and the right approach is to open a TAC case as you've done.
        If you hit a roadblock with TAC, please contact me privately.
        Like • Show 0 Likes0
        Actions
- Vincent Bacher @ Dameon Welch-Abernathy on Jun 11, 2018 12:19 PM
  Mark Correct
  Correct Answer
  btw: it's getting time that https inspection policy supports applications created by acst.
  Like • Show 0 Likes0
  Actions

Application Signatures?

Outcomes

Related Content

Recommended Content