• incomplete
    • SYN or SYN-SYNACK-ACK is seen but no data packets are seen. In other words, the traffic you are seeing is not really an application.

EX: if a client sends a sever a SYN and the firewall creates a session for that SYN, but the server never sends a SYNACK in response back to the client, then that session would be incomplete.

  • insufficient-data
    • The firewall didn’t see the complete TCP 3-way handshake, OR
    • There were no data packets exchanged after the handshake

Means that were was not enough data to identify the application. For EX: if the 3-way handshake completed and there was 1 data packet after the handshake but that 1 data packet was not enough to match any of our signatures.

  • unknown-tcp
    • Firewall was unable to identify the TCP application after the 3-way handshake was complete and data was received.
  • unknown-udp 
    • Firewall was unable to identify the UDP application after the 3-way handshake was complete and data was received.
  • unknown-p2p
    • Application matches generic p2p heuristics

For these unknown applications, customer must submit pcaps of the App to Palo Alto Support to create a new signature OR you will need to configure the firewall to identify this application:

  1. create a new application (instructions below)
  2. create an application override policy
  3. Make sure there is a security policy that permits the traffic.
  • not-applicable
    • session is blocked by the firewall

The firewall has received data that we are discarding because the port/service that the traffic is coming in on is NOT allowed OR there is no rule/policy allowing that port/service.

EX: if there was only 1 rule on the PAN and that rule allowed the application of web-browsing only on port/service 80, and traffic is sent to the PAN on any other port/service other than 80, then the traffic will be discarded/dropped.

 

New Application

1. Objects -> Applications -> New

  • Specify the application name and properties
  • On Advance tab, enter the port number that uniquely identifies the application

2. Policies -> Application Override -> Add rule

  • Specify port number
  • Configure application to be the on you just created.

3. Policies -> Security -> Add Rule

  • configure the zones and addresses
  • Select the new app in the Application column
  • Select Application default for the service
  • Allow or deny the action and commit.

Application override policies are checked before security policies. The application override will be used in place of our App-ID engine to identify the traffic.

Security profiles CANNOT be assigned to Application Override policies. Application override policies bypass the signature Match Engine entirely, so Content-ID cannot be performed on this traffic. Application override should be used with internal traffic only.