topic Re: Application incomplete or insufficient-data when using NNTPS in Next-Generation Firewall Discussions

Application incomplete or insufficient-data when using NNTPS

jorgenfrejso — Wed, 09 Nov 2022 15:25:29 GMT

Hello,

I have been working with Cisco firewalls for the last 20 years, but I'm very new with Palo Alto and PANOS.

At the moment I have a PA-460 in my lab for learning purpose.

It's a basic setup with just a simple NAT/PAT rule for outgoing traffic to Internet and some basic access rules.

Most things are working great, but I'm having some issues with a newsreader application (SABnzbd) that I'm running on a Synology NAS.

The newsreader application cannot download any files and in the traffic monitor, I see either incomplete or insufficient-data.

This application has been working without any issues when using a Cisco Firepower FTD firewall, so I am trying to figure out what can be wrong.

The newsreader is using TCP port 563 (which is the default port for NNTP protocol over TLS/SSL). If I change the port to 443, everything is working and I can now download files.

Does anyone know why I'm not able to use port 563 and how I can fix this?

Thanks

/Jorgen

Re: Application incomplete or insufficient-data when using NNTPS

MIST3R_VIRTS3C — Fri, 11 Nov 2022 22:27:35 GMT

Hi @jorgenfrejso , hope all is well! For next steps I would recommend setting up packet filters for the traffic in question and then collecting a packet capture and the global counters from the cli. You can use the following commands on the cli:

debug dataplane packet-diag set filter match source <synology ip> destination-port 563
debug dataplane packet-diag set filter match destination <synology ip> source-port 563
debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture stage receive file rxtx.pcap
debug dataplane packet-diag set capture stage transmit file rxtx.pcap
debug dataplane packet-diag set capture stage drop file dp.pcap
debug dataplane packet-diag set capture stage firewall file fw.pcap
debug dataplane packet-diag set capture on

show counter global filter packet-filter yes

****Start Test Traffic***

debug dataplane packet-diag show filter-marked-session

show session id <id from above output>

show counter global filter packet-filter yes delta yes <------ Run this command once every 5-10 seconds for 3 intervals (or until the test is complete)

debug dataplane packet-diag set capture off

**copy the output from the global counters command to a notepad file**
download the packet captures from the gui by navigating to Monitor > Packet Capture
screenshots of your security policy rulebase would be helpful as well

Re: Application incomplete or insufficient-data when using NNTPS

jorgenfrejso — Sat, 12 Nov 2022 18:49:36 GMT

Hi @MIST3R_VIRTS3C Thank you for the suggestions.

I will try the packet filters as soon as I get access to my lab and I'll let you know the results.

/Jorgen

Re: Application incomplete or insufficient-data when using NNTPS

TomYoung — Sun, 13 Nov 2022 20:43:49 GMT

Hi @jorgenfrejso ,

You probably have your service in your security policy rules set to application-default. With any protocol that runs over TLS (LDAPS, NNTP, etc.), the protocol is encapsulated within TLS. Without decryption, the NGFW only sees TLS. The default port for the App-ID "ssl" is 443, and that is the only port that TLS will be allowed to pass through the NGFW if the service is set to application-default.

You can do a quick test. Change the service to any and see if it works.

If you enable logging on the interzone-default rule, you should see the traffic hit that rule under Monitor > Logs > Traffic. Just like the other firewalls you have experience, if it hits the default drop then it didn't match any rules.

Note: Monitor > Logs > Traffic only shows sessions that have ended if you have Log at Session End configured for your rules, which is the best practice. Active sessions are found under Monitor > Session Browser. If you do not have any logging configured for rules, they will not show up under the Monitor tab.

Thanks,

Tom

Re: Application incomplete or insufficient-data when using NNTPS

jorgenfrejso — Tue, 15 Nov 2022 12:49:15 GMT

Thanks Tom,

You are probalby right about the security policy rules is set to application-default. I noticed a similair issue with IMAP over SSL. I will test to change it to any and let you know the result.

/Jorgen

Re: Application incomplete or insufficient-data when using NNTPS

jorgenfrejso — Tue, 15 Nov 2022 14:57:56 GMT

I can confirm that NNTPS and IMAP over SSL are working when change the service from application-default to any.

I also noticed the option to specify custom applications and ports but is there a way to add ports to the application-default? Or can I make a clone of it and add the ports I need?

Thanks

/Jorgen

Re: Application incomplete or insufficient-data when using NNTPS

TomYoung — Tue, 15 Nov 2022 15:06:18 GMT

Hi @jorgenfrejso ,

You are correct. You cannot have a rule with application-default and specific ports. You are also correct that it is a good idea to clone the rule and have 2 rules - 1 with application default and 1 with specific ports. In this case since "ssl" only has the default port of tcp/443, I would change application-default to those 3 ports - tcp/443, tcp/563, and tcp/993.

If you left the rule with "ssl" and any for the services, the security rule would allow a few packets on all ports until the application is identified. This method is the least secure.

Thanks,

Tom