topic Re: Uknown-tcp in application based policy logs !! in General Topics

Uknown-tcp in application based policy logs !!

asia — Mon, 19 Jul 2010 12:28:08 GMT

Hi,

I'am using PAN-OS 3.0.9, and i have configured some policies in witch i allow some applications defined by application override. I noticed that in the logs associated to this policies, there are lines that are identified as "unknown-tcp" with action :"allow" and type "end", is this normal?

Normaly the firewall should not allow this connexions because they are not part of the application override, and should only allow this applications.

Any explanations please.

Regard's.

Re: Uknown-tcp in application based policy logs !!

swhyte — Mon, 19 Jul 2010 21:01:43 GMT

If there is traffic that is coming through the paloalto device that was not caught by the application override, that indicates that your application override rule does not include the criteria for for this traffic...i.e port, source/destination ip, etc.

Also if you are seeing sessions in the traffic log for unknowtcp, that same log tells you the specific rule that is allowing this traffic.

Also make sure that you do not have an allow all rule some where in your rule set that covers criteria that your application override rule does not.

thank you,

Stephen Whyte

Re: Uknown-tcp in application based policy logs !!

asia — Tue, 20 Jul 2010 11:29:25 GMT

In my case, the logs mention the same rule that allows the applications defined by application override. Normaly, the rule must allow only the ports/ip mentioned in the application override rule. And there is not other rule that allow the traffic marked as unknown-tcp.

Any other idea please?

Regards

Re: Uknown-tcp in application based policy logs !!

mjacobsen — Tue, 20 Jul 2010 15:07:29 GMT

What ports are being allowed in the service column of the security rule? Can you provide a little more detail on the override rule and security rule configuration as well as the details of the unknown traffic (particularly the destination port).

Mike

Re: Uknown-tcp in application based policy logs !!

asia — Wed, 21 Jul 2010 08:13:36 GMT

In the service column i allow "any" service, in the admin guide it is recommended to not use "use application default" for user defined applications. The destination ports marked as Unknown-tcp are various (internal developement applications) and different from those defined in the application default ports definition and those defined in the application override rule.

Regards.

Re: Uknown-tcp in application based policy logs !!

mjacobsen — Fri, 23 Jul 2010 16:20:55 GMT

The user guide is wrong. We can get that cleaned up. The application you are overriding to (custom or otherwise) should have a value specified as the default port. This is what "app-default" will use. Alternatively, you should put the specific port you want in the Service column. Otherwise, the system will allow traffic on other ports until it determines if it matches the specified app. For the override to work properly, the port in the override rule should match the port in the default port field of the app or a port explicitly configured in the service column.

Mike