Issue
When monitoring Palo Alto Networks firewall bandwidth and network traffic using a Netflow Analyzer, there may be some discrepancy in the 'incomplete' application traffic reported on the Netflow server, versus what is reported on the ACC tab of the firewall.
Details
For TCP sessions, the first packet in a TCP handshake does not have any application data to perform pattern matching using signatures to identify the application. Hence, the App-ID cache is used to identify the application on the very first packet. It aids in Policy Based Forwarding rules, in which a routing decision needs to be based on the first packet of a session. In this case, the routing decision is made before an application can be identified, so the App-ID cache provides a mechanism for making a best estimate for forwarding decisions.
The firewall tries to identify the new session's application based on any matching cached entry associated with the same Destination IP/Port. When no match is found, the firewall terms the application as 'none,' which is seen as 'incomplete' in data records sent to the Netflow collector.
See this example:
Once the firewall sees further data exchange for this session, it identifies the application based on pattern matching signatures and sends an updated data record for the session to the Netflow collector.
Some Netflow collectors stick to the first identification of the application for a session and do not make further changes in the session's application field. This creates the discrepancy in the amount of 'incomplete' application traffic reported by the firewall versus what is reported by the netflow server.
owner: apasupulati