Firepower Custom Application Detector gives the capability to add signatures for our custom business applications to the list of application detectors so that we can call them when we add an access control rule. In this section we will create a custom application detector specific to our business.

Topology and Custom Application Overview

Topology Overview

Just to review the topology, we have one FTD with two zones, inside and outside zones with IP subnet 192.168.10.0/24 and 192.168.1.0/24. Outside zone is connected to internet. inside zone is connected to the LAN. There are two computers for testing purposes, one with IP address 192.168.10.10 in inside zone and one with IP address 192.168.1.88 in outside zone.

Cisco FTD Topology overview
Cisco FTD Topology overview

Custom Application Overview

We have one business application running over TCP port 1234.we are going to write a custom application detector to detect traffic matching our business application. What is special about our application is the “rayka” pattern within the content that is transmitted from the server to the client over TCP port 1234. This is what we will search in our custom application detector signature.

To ensure that our signature works correctly, we generate traffic between our test machines with IP address 192.168.10.10 as client and 192.168.1.88 as server listening on TCP port 1234.

RAYKA business Application Specification
RAYKA business Application Specification

Create Custom Application Detector

Simulate Custom Application

We will use the software “TCP Client Server” to simulate the traffic.

we will also use Wireshark software to capture sample of Rayka business application. With this sample traffic we can make sure if our signature works correctly.

To simulate traffic, Let’s first  add a rule at the top of access control to permit anything so we can simulate any traffic between inside and outside zone. We also enable logging to monitor simulated traffic.

add permit_all access rule
add permit_all access rule

Before we generate any traffic, let’s open the Wireshark software to listen on “tcp.port == 1234” to capture any traffic going over TCP port 1234.

prepare wireshark to capture rayka custom business application
prepare wireshark to capture rayka custom business application

To generate sample Rayka business application traffic, First we open “TCP Client Server” software on the server side to listen on IP address 192.168.1.88 TCP port 1234.

Then we will open the same software on client machine to connect to 192.168.1.88 with TCP port 1234 from interface with IP address 192.168.10.10.

Then we write some text on the server side including the keyword “rayka” that will be sent to the client side. This text must be displayed on the client side when you click the “Send” button.

simulate rayka business application traffic
simulate rayka business application traffic

All traffic between client and server are captured in Wireshark. we save the captured traffic (“Export Specific Packets”) in a file. This file needs to be checked against our custom signature to ensure that the signature works properly.

save sample rayka business application traffic
save sample rayka business application traffic

Create Custom Application Detector Signature

Now we can create our custom application detector signature using “Create Custom Detector” in:

Policies -> Application Detectors -> Create Custom Detector

Give a name and description for your application. Then click plus button to create a new basic application protocol.

create rayka application detector signature part1
create rayka application detector signature part1

In the application protocol section, we also need to provide a name and description. then we have to indicate how business relevant the application is and how risky it is from a security point of view. It’s also a good idea to categorize the application. Then we can add as many tags that introduce the application.

create rayka application detector signature part2
create rayka application detector signature part2

A new window for the new application will be open. This is the section that you have to specify your signature. Here you can add a sample traffic of the application to make sure that signature works correctly. 

In our example, these are the parameters of the signature by which the traffic from Rayka app1 will be distinguished.

Any TCP traffic with direction from server to client with port number 1234 including ascii pattern “rayka”.

add rayka application detector signature pattern
add rayka application detector signature pattern

Then we add sample traffic captured by Wireshark.

Then we test the signature with sample traffic. if it returns ok then it means that you have created a correct signature.

application detector signature pattern test result
application detector signature pattern test result

custom application detectors are dsabled by default. you have to enable it before using in access control rule.

enable custom application detector
enable custom application detector

Now you are ready to add you custom detector in any access rule with searching your application name in application tab.

search custom application in access control rules
search custom application in access control rules
Back to: Cisco FTD Design and Implementation > Cisco FTD Access Control Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment