• We have configured a security policy to block unknown-tcp and unknown-udp traffic using the application filter "unknown".
• Post upgrade from 9.1.x to 10.1.x, we were unable to access the internet, even if the application is being identified as "web-browsing" and the session end reason is "reset-both".

• When the application filter created for the unknown-tcp and unknown-udp are removed from the block policy, then we were able to access the internet.

• Firewall
• PAN-OS Version: 10.1.x, 10.2.x

• In the session info you could observe that the application as "web-browsing" and hitting the "block" policy.
  
  
  

• When we add the name "unknown" as an application filter it matches a decoder name "unknown".
• This will cause incorrect policy matching when a decoder name is used as an application filter name.

1. Avoid using application filters, custom apps, and application groups that match the decoder names.
2. We can avoid this by prepending, inserting, or appending their application filter, application group, and custom app names with "one or two underscores (_ or __)" as the decoder names rarely contain an underscore.
3. Here in this scenario, the "unknown" is the name of the decoder present in the firewall.
4. Before changes are made to the application filter:

admin@Lab81-233-PA-VM# show application-filter unknown
unknown {
  category unknown;
}
Post changes made to the application filter:
admin@Lab81-233-PA-VM# show application-filter unknown-category
unknown {
  category unknown;
}

• Create a Security Policy Rule

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/create-a-security-policy-rule