Technical Tip: Matching multiple parameters on application control signatures

Shilpa1 · ‎09-22-2020

Description
Application control signatures that support parameters (such as SCADA protocols) can have multiple parameters grouped together and matched at the same time.
To match a member, traffic has to match all of the parameters.
To match a signature, at least one member has to be matched.

Solution
To configure an application sensor with multiple parameters from GUI.

1) Go to Security Profiles -> Application Control.
2) Select 'Create New' to create a new application sensor, or edit an existing sensor.
3) In the Application and Filter Overrides table, select 'Create New'.
4) Add an application signature that has parameters, such as Facebook.App_Name.

5) Select 'Create New' to add parameters. Multiple parameters can be added to a member.

6) Select 'OK'.
7) Add more members as needed.

8) Select 'OK'.

To configure an application sensor with multiple parameters from CLI.
# config application list
    edit "g-test"
        set other-application-log enable
        # config entries
            edit 1
                set application 23813
                # config parameters
                    edit 1
                        # config members
                            edit 1
                                set name "application"
                                set value "22"
                            next
                            ...
                            edit 6
                                set name "application"
                                set value "Albatross"
                            next
                        end
                    next
                    edit 2
                        # config members
                            edit 1
                                set name "application"
                                set value "test"
                            next
                            ...
                        end
                    next
                    edit 3
                        # config members
                            edit 1
                                set name "application"
                                set value "Winner"
                            next
                        end
                    next
                    edit 4
                        # config members
                            edit 1
                                set name "application"
                                set value "next"
                            next
                            edit 2
                                set name "application"
                                set value "pass"
                            next
                        end
                    next
                end
            next
            edit 2
                set category 2 6
            next
        end
    next
end