Firmware Version dependent Behavior of Application Control
As every feature is subject to updates and improvements, Application Control also undergoes such changes with consequences how this feature behaves dependent of a specific firmware version.
Duplicate Custom Network Applications
Custom network apps are considered to be duplicate, if they exactly coincide in the following attributes which represent their endpoint:
Layer 4 protocol (Any, TCP or UDP)
Destination address
Destination port range
As internally hostname based custom network apps are resolved into IP addresses, custom network apps can inadvertently become duplicates, if
a hostname based custom network app resolves to the same IP address as another existing address based custom networks app, or
two hostname based custom network apps with different hostnames resolve to the same IP address.
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
Only the first encountered custom network app for a given endpoint was considered in the engine, all others have been silently dropped. | Up to eight different custom network apps can exists for the same endpoint. The ninth and all further ones are silently dropped. |
Overlapping Custom Network Applications
When creating a network app, you can also configure the protocol type and network ranges:
tcp:192.168.0.0/16:0-65535andtcp:192.168.1.0/24:0-65535, ortcp:192.168.1.1:0-1024andtcp:192.168.1.1:80,443
In both cases, any session matching the respective second app would also match the respective first app.
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
Only the app with the smallest address range, or subsequently the one with the smallest port range would be assigned to the session. | All matching apps will be assigned to the session (at most up to 16, see also below). |
Multiple Applications Matching in the Same Session
As multiple applications can be combined based on their app-IDs into a session, this also has an impact on how such bundles are handled.
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
Only one app (consisting of a hierarchy of up to 3 app-IDs) could be assigned to a session at any point of time. Newly detected apps (a change in app within the same session) would fully overwrite the already existing app. | Up to 16 app-IDs can be assigned to a session. Newly detected apps will be appended. If more than 16 appids need to be assigned to the same session, then the newer app-IDs will overwrite the oldest existing app-IDs. |
Restrictions between Applications
When multiple applications are involved, specific restrictions may apply.
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
|
|
Handling of Multiple Applications for the Same Hostname
Multiple Custom Network Apps for the Same Hostname
Multiple custom network applications for the same hostname will resolve to the same IP address(es). Assuming that the other attributes (layer 4 protocol and port range) are also identical, the consequences and restriction laid out above will apply.
Multiple Custom Web Apps for the same Hostname
This will be prevented by a sanitation check in Firewall Admin, it is not allowed.
A Custom Network Application for the same Hostname as a Custom Web Application or Built-in Web Application
Custom Network Applications and Web Applications (ordinary and custom) can coexist under these conditions:
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
The custom network application matches and prevents any further application detection, so the (custom or built-in) web app will not match. | The custom network application and the (custom or built-in) web application will match, with the restriction laid out in the section below. |
A Custom Web Application for the same Hostname as a Built-in Web Application
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
The custom web application matches and prevents any further application detection, so the (custom or built-in) web app will not match. | The custom web application and the (custom or built-in) web application will match. |
If a custom web app has matched, then for the same HTTP request no detection for built-in web applications will be performed (but can again be performed for the next HTTP request). The same holds for SNI based application detection.
Therefore currently custom web apps can be used to override built-in web apps.
Note that a custom web application may also have path conditions. In this case, they prevent detection of built-in web appications only if all conditions of a custom web application apply, a matching host/domain condition alone is not sufficient!
Ipoque Apps
Ipoque applications are fully independent of other application types and can match at any time, and they impose no restriction for the further course of the session.
However, the only exception applies: in firmware <10.5, a matching custom network application prevents any other application detection, including ipoque apps.
Visualizations in Barracuda Firewall Admin
The application related information available in Firewall Admin Live > Show Session Details… has been extended to show all applications (up to 16) which are currently assigned to a session.
Behavior < Firmware 10.5 | Behavior >= 10.5 |
|---|---|
The Live view in Barracuda Firewall Admin always shows the basic application (the lowest hierarchy level) which is currently assigned to the session. | The Live view in Barracuda Firewall Admin shows the application which caused the app condition of the most recent application rule evaluation to match. In case several apps of the session could have caused a match in a rule, the first one encountered is being visualized. |