How to mitigate an increase in unknown-tcp or unknown-udp traffic

17683

Created On 01/11/24 21:16 PM - Last Modified 01/11/24 23:53 PM

App Override

Applications

App-ID Cloud Engine

App-ID

Threat Prevention

Content

10.0

10.2

10.1

11.1

11.0

AIOps for NGFW

Next-Generation Firewall

Strata Cloud Manager

Objective

To mitigate an abnormal increase in traffic with application unknown-tcp or unknown-udp seen in the traffic logs.

Inspect the firewall system logs: MONITOR> Logs> Traffic and use the ( app eq 'unknown-tcp' ) or (app eq 'unknown-udp') search filter. Define the traffic whose application has not been identified by the firewall (Determine its Source Zone, Source IP address, Destination Zone, Destination IP address, Destination port, etc...).
If the application of the defined traffic was previously properly identified by the firewall then suddenly stopped being recognized:
1. Check if the content or application version is up-to-date on your firewall: DEVICE> Dynamic Updates then:
  1. Application and Threats (for firewalls with valid Threat Prevention license installed)
  2. Application (for firewalls with no Threat Prevention license).
2. If needing to update the content or application version refer to install content updates.
3. Report a misidentification of an application.
If the application of the defined traffic was never recognized by the firewall then depending on the used case:
1. Create a customer application for that traffic refer to Pro-Tips: Unknown Applications and how to create a an application override for this traffic.
2. Request a new app-id from Palo Alto Networks for his traffic.