.png)
ACCORDING to Xavier Mertens, the diary describes a data exfiltration bypass that leverages App-ID-enabled firewalls to circumvent traditional port-based controls by disguising traffic as legitimate application activity. The author details a scenario where an external attacker uses netcat to listen on a port and a victim host runs a Python script to break a file into 3KB chunks and transmit them to a remote server, successfully reconstructing the original file with matching SHA-256 hashes.
The technique relies on the firewall’s need for initial traffic to establish a reliable classification, with exfiltration typically blocked after around 5KB of payload in practice. The post notes that it has worked for files of a few megabytes but is slow and can be detected by the high number of small TCP connections, which may resemble beaconing.
It also points out that the approach is not tied to a single vendor, citing Palo Alto Networks App-ID as well as Checkpoint and Fortinet implementations that include application control features. Published on 31 March 2026, the piece emphasises that while the method can bypass some controls, it may still be detected by IDS components and could be mitigated by monitoring for unusual, frequent small payload transmissions.