topic Re: Traffic log showing "attempted" rules in General Topics

Traffic log showing "attempted" rules

MMCiobanu — Wed, 19 Mar 2014 18:05:48 GMT

Hi,

I have a few security policies (below) and did some testing on them, and found the traffic log displaying some interesting results; I have an idea of why this shows up in the log, but may be somebody more experienced can confirm.

I have a rule that allows DNS application, any port:

and a rule below that allows any outbound traffic:

When looking at the traffic log, it looks like traffic to port 80, 443, for tries the DNS rule and application status is Incomplete, then it closes the session with the second rule, which is the one actually allowing the traffic.

If, on the DNS rule I specify both, the application and the port numbers - TCP 53 and UDP 53, traffic to other ports are not showing as attempting this rule anymore and going straight to the second rule.

Can somebody explain this behaviour, please?

Re: Traffic log showing "attempted" rules

jdelio — Fri, 21 Mar 2014 14:27:58 GMT

You have to first understand how App-ID works, then you will understand what is going on here.

Notice how the application is "incomplete" at first? This means that there was not enough data to determine what application was in use, normally this means the handshake (Syn, Syn-Ack, Ack) has happened, or less, but no real data has been sent. Until that happens, the application is "incomplete" or "unknown". Because of this, it will take the first rule that it can, to start the connection, but as soon as the application can be determined, then it will drop to the rule that matches the Application in use.

I hope that makes sense.

Re: Traffic log showing "attempted" rules

MMCiobanu — Fri, 21 Mar 2014 14:51:50 GMT

Thank you;

Yes, it does make sense; I had an idea that this was happening, now it is confirmed;

Thanks again!