https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28758#M20992 <HTML><HEAD></HEAD><BODY><P>Does "Unknown-udp" Appl. allow any UDP Packets?</P><P></P><P>I did not find any app and would like to allow UDP only.</P><P>Roman</P></BODY></HTML> Wed, 24 Sep 2014 11:36:32 GMT rkra 2014-09-24T11:36:32Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28758#M20992 <HTML><HEAD></HEAD><BODY><P>Does "Unknown-udp" Appl. allow any UDP Packets?</P><P></P><P>I did not find any app and would like to allow UDP only.</P><P>Roman</P></BODY></HTML> Wed, 24 Sep 2014 11:36:32 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28758#M20992 rkra 2014-09-24T11:36:32Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28759#M20993 <HTML><HEAD></HEAD><BODY><P>The app-id "unknown-udp" can be used to allow/block UDP traffic that did not match any other application signature. That does not mean all UDP traffic.</P><P></P><P>If you want to allow all UDP traffic,you should create a service object containing the port range 1-65535.</P></BODY></HTML> Wed, 24 Sep 2014 11:53:34 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28759#M20993 torm 2014-09-24T11:53:34Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28760#M20994 <HTML><HEAD></HEAD><BODY><P>Hello Roman,</P><P></P><P>In case of any UDP based Application traffic, The PAN firewall will allow few packets in each direction <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>Client-Server and Server-Client) to identify/match the application signature App-ID. Ideally, it will be minimum 4 packets or 2000 bytes. Till that time, the PAN will identify that traffic as "Unknown-UDP" and allow it through. As soon as the application identified by PAN FW<SPAN class="GINGER_SOFTWARE_mark">,</SPAN>the&nbsp; appropriate policy/rule will be applied to that traffic.</P><P></P><P>Reference DOC:</P><P> <A href="https://live.paloaltonetworks.com/docs/DOC-6139">How to Verify the Application Name Change from Unknown-tcp/udp to Actual App-ID</A></P><P><A href="https://live.paloaltonetworks.com/message/27272">unknown</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 24 Sep 2014 12:01:38 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28760#M20994 HULK 2014-09-24T12:01:38Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28761#M20995 <HTML><HEAD></HEAD><BODY><P>Hello Roman,</P><P></P><P>As <STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1416" data-externalid="" data-presence="null" data-userid="5160" data-username="torm" href="https://live.paloaltonetworks.com/people/torm" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;"><SPAN class="GINGER_SOFTWARE_mark">torm</SPAN></A></STRONG> said, if you want to allow all UDP traffic, you may create a custom service profile and allow all applications in a "<SPAN class="GINGER_SOFTWARE_mark">security</SPAN> Rule".</P><P>NOTE: UDP is not an application, it's a Transport layer protocol used to application traffic. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P> <IMG alt="UDP-service.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15724_UDP-service.jpg" style="height: 449px; width: 620px;" /></P><P><IMG alt="UDP-service-policy.jpg" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15725_UDP-service-policy.jpg" style="height: 23px; width: 620px;" /></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 24 Sep 2014 12:12:08 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28761#M20995 HULK 2014-09-24T12:12:08Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28762#M20996 <HTML><HEAD></HEAD><BODY><P>Hi RKRA,</P><P></P><P>When UDP packets hit firewall, firewall allows initial few UDP Packets. After that it may determine application based on packet content.</P><P></P><P>Sometimes, firewall is not able to determine application because packets doesn't match existing decoder. </P><P></P><P>In such scenario firewall identifies stream as "unknown-udp".</P><P></P><P>You dont need to allow "unknown-udp" for any UDP traffic.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 24 Sep 2014 13:09:55 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28762#M20996 hshah 2014-09-24T13:09:55Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28763#M20997 <HTML><HEAD></HEAD><BODY><P>Hello Hardik,</P><P></P><P>Just FYI. All applications are not having Decoder. Hence, <SPAN class="GINGER_SOFTWARE_mark">i</SPAN> don't think it is not necessary to match decoder to identify an Application. </P><P></P><P>Thanks</P></BODY></HTML> Wed, 24 Sep 2014 13:15:32 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28763#M20997 HULK 2014-09-24T13:15:32Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28764#M20998 <HTML><HEAD></HEAD><BODY><P>Hi HULK,</P><P></P><P>By decoder I mean application signature.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 24 Sep 2014 13:16:35 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28764#M20998 hshah 2014-09-24T13:16:35Z https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28765#M20999 <HTML><HEAD></HEAD><BODY><P>Hi Roman,</P><P></P><P>Question to your answer is Yes. If you don't have a policy that is not denying "unknown-udp" application, firewall will allow it. In Monitor tab, you will source and destination address and application as "Unknown-UDP". It simply means firewall did not have signature for the packets it was seeing. You can also deny it by denying "unknown-udp" in security policy but is however configurable and is based on your requirement. Hope that helps. </P></BODY></HTML> Wed, 24 Sep 2014 13:22:49 GMT https://live.paloaltonetworks.com/t5/general-topics/does-quot-unknown-udp-quot-app-allow-any-udp-packets/m-p/28765#M20999 ssharma 2014-09-24T13:22:49Z