https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537118#M110303 <P>Any Ideas as to why it would have so many hits on this rule? All the traffic hitting this rule is unable to identify the application.&nbsp;</P> Thu, 30 Mar 2023 15:31:13 GMT DuggiFresh 2023-03-30T15:31:13Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/536835#M110259 <P><SPAN>Its getting a lot of hits, I setup Application filter for new app IDs and added them to their own Security Policy rule. Does this look correctly? Im confused as to why its getting so many hits.&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DuggiFresh_0-1680043214733.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49076i688CBCBEE94C9081/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DuggiFresh_0-1680043214733.png" alt="DuggiFresh_0-1680043214733.png" /></span></P> <P>&nbsp;</P> Tue, 28 Mar 2023 22:40:30 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/536835#M110259 DuggiFresh 2023-03-28T22:40:30Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537118#M110303 <P>Any Ideas as to why it would have so many hits on this rule? All the traffic hitting this rule is unable to identify the application.&nbsp;</P> Thu, 30 Mar 2023 15:31:13 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537118#M110303 DuggiFresh 2023-03-30T15:31:13Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537120#M110305 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/247570">@DuggiFresh</a>,</P> <P>Gonna go out on a limb and say that this is the first app-id based rule that you have in your rulebase? If that's the case, that'll match a whole lot of traffic as the firewall needs to allow enough traffic to identify the application. As soon as the application is identified, the firewall will reanlyze the rulebase and pass the traffic to the corresponding entry.</P> <P>&nbsp;</P> <P>As long as this is the first app-id based rule that is in your rulebase, or is the first for at least a subset of your users, this is expected behavior.&nbsp;</P> Thu, 30 Mar 2023 15:40:59 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537120#M110305 BPry 2023-03-30T15:40:59Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537121#M110306 <P>All outgoing connections that don't get past TCP 3way handshake will match your New Apps rule.</P> <P>Find application that you permit out anyway and add rule above it to collect all incompletes.</P> <P>Example below with traceroute.</P> <P>&nbsp;</P> <P>Source - inside</P> <P>Destination - outside</P> <P>Application - traceroute</P> <P>Service - any</P> <P>Action - allow</P> <P>&nbsp;</P> <P>This will collect all incomlete sessions and your chosen app and keep New Apps rule clean.</P> Thu, 30 Mar 2023 15:49:04 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537121#M110306 Raido_Rattameister 2023-03-30T15:49:04Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537122#M110307 <P>So this rule should be near the bottom of my policies, below my identified apps? I have my applications identified in my policies.</P> Thu, 30 Mar 2023 15:55:14 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537122#M110307 DuggiFresh 2023-03-30T15:55:14Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537125#M110308 <P>New Apps rule should be before any of other outgoing rules if you want to have correct reporting.</P> <P>If you want to keep New Apps rule log clean you need to add incomplete collector rule above it according to my example from previous post.</P> Thu, 30 Mar 2023 15:57:55 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537125#M110308 Raido_Rattameister 2023-03-30T15:57:55Z https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537126#M110309 <P>Thank you, Do I need new app ID rule for Inside to inside?&nbsp;</P> Thu, 30 Mar 2023 16:07:55 GMT https://live.paloaltonetworks.com/t5/general-topics/is-new-app-id-rule-setup-correctly/m-p/537126#M110309 DuggiFresh 2023-03-30T16:07:55Z