{"id":596,"date":"2015-09-22T10:18:11","date_gmt":"2015-09-22T15:18:11","guid":{"rendered":"http:\/\/www.echorequest.com\/?p=596"},"modified":"2015-09-22T10:19:45","modified_gmt":"2015-09-22T15:19:45","slug":"more-palo-alto-firewall-info-i-need-status-of-incomplete-vs-insufficient-etc","status":"publish","type":"post","link":"https:\/\/www.echorequest.com\/?p=596","title":{"rendered":"More Palo-Alto Firewall info I need &#8211; Status of incomplete vs insufficient etc&#8230;"},"content":{"rendered":"<ul>\n<li><i><b>incomplete<\/b><\/i>\n<ul>\n<li>SYN or SYN-SYNACK-ACK is seen but no data packets are seen. In other words, the traffic you are seeing is not really an application.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>EX: if a client sends a sever a SYN and the firewall creates a session for that SYN, but the server never sends a SYNACK in response back to the client, then that session would be incomplete.<\/p>\n<ul>\n<li><i><b>insufficient-data<\/b><\/i>\n<ul>\n<li>The firewall didn&#8217;t see the complete TCP 3-way handshake, OR<\/li>\n<li>There were no data packets exchanged after the handshake<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><!--more-->Means that were was not enough data to identify the application. For EX: if the 3-way handshake completed and there was 1 data packet after the handshake but that 1 data packet was not enough to match any of our signatures.<\/p>\n<ul>\n<li><i><b>unknown-tcp<\/b><\/i>\n<ul>\n<li>Firewall was unable to identify the TCP application\u00a0after the 3-way handshake was complete and data was received.<\/li>\n<\/ul>\n<\/li>\n<li><i><b>unknown-udp\u00a0<\/b><\/i>\n<ul>\n<li>Firewall was unable to identify the UDP application\u00a0after the 3-way handshake was complete and data was received.<\/li>\n<\/ul>\n<\/li>\n<li><i><b>unknown-p2p<\/b><\/i>\n<ul>\n<li>Application matches generic p2p heuristics<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>For these unknown applications, customer must submit pcaps of the App to Palo Alto Support to create a new signature OR you will need to configure the firewall to identify this application:<\/p>\n<ol>\n<li>create a new application (instructions below)<\/li>\n<li>create an application override policy<\/li>\n<li>Make sure there is a security policy that permits the traffic.<\/li>\n<\/ol>\n<ul>\n<li><i><b>not-applicable<\/b><\/i>\n<ul>\n<li>session is blocked by the firewall<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The firewall has received data that we are discarding because the port\/service that the traffic is coming in on is NOT allowed OR there is no rule\/policy allowing that port\/service.<\/p>\n<p>EX: if there was only 1 rule on the PAN and that rule allowed the application of web-browsing only on port\/service 80, and traffic is sent to the PAN on any other port\/service other than 80, then the traffic will be discarded\/dropped.<\/p>\n<p>&nbsp;<\/p>\n<h2><span id=\"New_Application\" class=\"mw-headline\"><b>New Application<\/b><\/span><\/h2>\n<p><b>1. Objects -&gt; Applications -&gt; New<\/b><\/p>\n<ul>\n<li>Specify the application name and properties<\/li>\n<li>On <i>Advance tab<\/i>, enter the port number that uniquely identifies the application<\/li>\n<\/ul>\n<p><b>2. Policies -&gt; Application Override -&gt; Add rule<\/b><\/p>\n<ul>\n<li>Specify port number<\/li>\n<li>Configure application to be the on you just created.<\/li>\n<\/ul>\n<p><b>3. Policies -&gt; Security -&gt; Add Rule<\/b><\/p>\n<ul>\n<li>configure the zones and addresses<\/li>\n<li>Select the new app in the <i>Application<\/i> column<\/li>\n<li>Select Application default for the <i>service<\/i><\/li>\n<li><i>Allow\u00a0<\/i>or <i>deny<\/i> the action and commit.<\/li>\n<\/ul>\n<p><b>Application override<\/b> policies are checked before security policies. The application override will be used in place of our App-ID engine to identify the traffic.<\/p>\n<p>Security profiles CANNOT be assigned to Application Override policies. Application override policies bypass the signature Match Engine entirely, so Content-ID cannot be performed on this traffic. Application override should be used with internal traffic only.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>incomplete SYN or SYN-SYNACK-ACK is seen but no data packets are seen. In other words, the traffic you are seeing is not really an application. EX: if a client sends a sever a SYN and the firewall creates a session for that SYN, but the server never sends a SYNACK in response back to the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-596","post","type-post","status-publish","format-standard","hentry","category-geek","post-preview"],"_links":{"self":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=596"}],"version-history":[{"count":2,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/596\/revisions"}],"predecessor-version":[{"id":598,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/596\/revisions\/598"}],"wp:attachment":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}