How to Verify the Application Name Change from Unknown-tcp/udp to Actual App-ID

How to Verify the Application Name Change from Unknown-tcp/udp to Actual App-ID

11091
Created On 09/25/18 19:24 PM - Last Modified 05/05/21 21:19 PM


Resolution

Details

From the packet diagnostic logs, the application is initially identified as app id 1017 (unknown-tcp) and on the preceding log messages it has identified the actual Application-ID as app id 184 (Skype).

Oct 22 15:01:30 pan_ctd_flow_state_verify(pan_ctd.c:4318):pan_ctd_process_token(work 0x7f0009d06100, app 1017): 172.24.70.204[51305]-->172.17.146.45[26111]

Oct 22 15:01:30 pan_ctd_handle_reset(pan_ctd.c:6018): handle reset

Oct 22 15:01:30 pan_ctd_handle_reset(pan_ctd.c:6029): ***setapp to 184 (old app 1017)

Oct 22 15:01:30 pan_ctd_handle_reset(pan_ctd.c:6032): orig_app is 1017

Oct 22 15:01:30 pan_appid_set_timeout(pan_appid_proc.c:334): session 386 appid 184 set timeout 3600

Oct 22 15:01:30 pan_cfg_app_policy_lookup(pan_cfg_policy.c:630): Before lookup:172.24.70.204[51305]-->172.17.146.45[26111] app 184 use app 184; do lookup 0 app fst 1 url fst 1 is default 0 rulename (allow-vwire-1A)

Oct 22 15:01:30 pan_ctd_app_policy_lookup_i(pan_ctd.c:4816): Session id(386): rule changed to allow-vwire-1A from allow-vwire-1A action(0); logging(2); profile id(1) category any(0)

Oct 22 15:01:30 pan_ctd_run_detector_i(pan_ctd.c:6413):pan_ctd_handle_reset_and_url() returns 0

Oct 22 15:01:30 pan_detector_delete_all_fields(pan_detector.c:1581): delete allfields

Oct 22 15:01:30 pan_ctd_run_detector_i(pan_ctd.c:6439): Appid done appid 184,mitigation now n_tid 0 ret 0

Oct 22 15:01:30 pan_ctd_run_detector_i(pan_ctd.c:6584): exit to bypass now

Oct 22 15:01:30 pan_ctd_process_token(pan_ctd.c:5570):pan_ctd_run_pattern_match() failed -6

 

Use the following CLI command to verify App-ID number from the logs above:

debug device-server dump idmgr type shared-application id <id>


For this example verify id 1017 and 184:

> debug device-server dump idmgr type shared-application id 1017

unknown-tcp

> debug device-server dump idmgr type shared-application id 184

Skype

To run the reverse operation, and find the id of a given application name:

> debug device-server dump idmgr type shared-application name web-browsing

109

See Also

Packet Based Troubleshooting - Configuring Packet Captures and Debug Logs



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language