Palo Alto Networks Knowledgebase: Not-Applicable, Incomplete, Insufficient Data in the Application Field

Not-Applicable, Incomplete, Insufficient Data in the Application Field

100335
Created On 07/17/19 21:11 PM - Last Updated 07/17/19 22:30 PM
Resolution

Overview

The purpose of this document is to document the different entries that can show up inside of the Application field, and what they mean.

 

Incomplete in the application field

Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic being seen is not really an application.

 

For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.

 

Insufficient data in the application field

Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.

 

unknown-tcp

Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.

 

unknown-udp

Unknown-udp consists of unknown udp traffic.

 

unknown-p2p

Unknown-p2p matches generic P2P heuristics.

 

Not-applicable

Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you'll see sessions with "not-applicable" in the application field.

 

owner: swhyte



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language