https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24257#M17681 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have a PA 2050 device that is configured to allow specified traffic (multiple rules) and one rule that deny all other traffic (at the bottom).</P><P></P><P>When looking at the "Deny all" rule, I can see a lot of packets that should be allowed by specific rules above that are denied with no data (see screenshot bellow). Is it normal ? And what does it mean that some packets have no bytes received and no bytes sent ? </P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Fri, 09 Dec 2011 11:10:29 GMT ldormond 2011-12-09T11:10:29Z https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24257#M17681 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have a PA 2050 device that is configured to allow specified traffic (multiple rules) and one rule that deny all other traffic (at the bottom).</P><P></P><P>When looking at the "Deny all" rule, I can see a lot of packets that should be allowed by specific rules above that are denied with no data (see screenshot bellow). Is it normal ? And what does it mean that some packets have no bytes received and no bytes sent ? </P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Fri, 09 Dec 2011 11:10:29 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24257#M17681 ldormond 2011-12-09T11:10:29Z https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24258#M17682 <HTML><HEAD></HEAD><BODY><P>Yes, that is normal behavior.&nbsp; Your PA2050 will drop all packets that do not meet your explicitly allowed rules.&nbsp; Those packets may be the 1st SYN packet of a TCP handshake where the byte count is recorded as zero.</P><P></P><P>An explanation can be found here:</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1549">https://live.paloaltonetworks.com/docs/DOC-1549</A></P><P></P><P>Thanks.</P></BODY></HTML> Tue, 13 Dec 2011 11:41:16 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24258#M17682 rmonvon 2011-12-13T11:41:16Z https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24259#M17683 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for your answer, however if you look at the "application" collumn, you can see that this is not one of the three definition tht you provided me, but "unknown-tcp".</P><P></P><P>Furthermore, as I said in my first post above, there are explicit specific rules for this traffic.</P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Tue, 13 Dec 2011 15:33:46 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24259#M17683 ldormond 2011-12-13T15:33:46Z https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24260#M17684 <HTML><HEAD></HEAD><BODY><P>Hi Laurent...My previous post was to answer the app=not-applicable where&nbsp; the bytes=zero.&nbsp; Unknown-tcp means the TCP traffic does not match any of our AppID signatures so the application is unknown.&nbsp; </P><P></P><P>Tthe traffic must have matched the&nbsp; TCP/UDP ports for your explicit rules but it does not match the&nbsp; applications that you specifically defined in those rules.&nbsp; However, the PA device does not have an app signature for the traffic and classified it as unknown-tcp.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 13 Dec 2011 17:59:24 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-with-no-data-is-denied/m-p/24260#M17684 rmonvon 2011-12-13T17:59:24Z