https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32670#M23932 <HTML><HEAD></HEAD><BODY><P>Hello Jared,</P><P></P><P>I think any session based firewall will <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY".</SPAN></P><P></P><P>Thanks</P></BODY></HTML> Tue, 13 May 2014 02:02:11 GMT HULK 2014-05-13T02:02:11Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32667#M23929 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I have the same problem with incomplete application.</P><P></P><P>!Public zone! &lt;====&gt; PAN Firewall &lt;====&gt; INSIDE Firewall &lt;-----&gt; Server IP.</P><P></P><P>I have nated Server IP to Public ip, and configure rule like the below.</P><P></P><P>Name: (Ping) ; Src zone: (public); Src: (any); Dst zone: (any) ; Dst (any); Appliccation: (icmp, ping) ; Action: (ALLOW);</P><P></P><P>I monitor traffic on PAN Firewall, I saw the traffic : Application is INCOMPLETE and action is ALLOW corresponding to the above "Ping" rule, and on my INSIDE Firewall, I also saw the traffic with the same public IP address to my server.</P><P></P><P>I real don't know why is traffic pass into my INSIDE Firewall.</P><P></P><P>Please help me to deny all of incomplete traffic.</P><P></P><P>Thanks so much.</P></BODY></HTML> Tue, 13 May 2014 01:40:16 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32667#M23929 Register_Security 2014-05-13T01:40:16Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32668#M23930 <HTML><HEAD></HEAD><BODY><P>Did you permit ping on "any" service/port?&nbsp; You should never use "any" for service/port on incoming rules.&nbsp; You should only use "application-default" or a specified port.</P></BODY></HTML> Tue, 13 May 2014 01:46:46 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32668#M23930 jvalentine 2014-05-13T01:46:46Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32669#M23931 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It's looking like a routing issue for me. Let me know if <SPAN class="GINGER_SOFTWARE_mark">i</SPAN> understand it correctly.</P><P></P><P></P><P><STRONG>NAT Policy</STRONG><STRONG>:</STRONG> </P><P>Source-zone=Public Zone, </P><P>Destination-zone= Public zone</P><P>Destination IP address: Public IP address</P><P>NAT destination translation= Private address of the Server</P><P></P><P><STRONG>Security Policy:</STRONG></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Source-zone=Public Zone, </SPAN></P><P>Destination-zone= Inside Zone <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>LAN)</P><P></P><P><STRONG>Routing:</STRONG></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">a) Default gateway on PAN FW pointing towards Public zone ISP router.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">b) Server's Private IP address &gt;&gt;&gt;pointing towards next hop to INSIDE FW</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks<BR /></SPAN></P></BODY></HTML> Tue, 13 May 2014 01:56:49 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32669#M23931 HULK 2014-05-13T01:56:49Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32670#M23932 <HTML><HEAD></HEAD><BODY><P>Hello Jared,</P><P></P><P>I think any session based firewall will <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY".</SPAN></P><P></P><P>Thanks</P></BODY></HTML> Tue, 13 May 2014 02:02:11 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32670#M23932 HULK 2014-05-13T02:02:11Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32671#M23933 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk, I wonder how I block all of incomplete application.</P><P></P><P>Hi Jared,</P><P>I don't know where to configure application-default, please shared your idea in this case.</P><P>Thanks so much.</P></BODY></HTML> Tue, 13 May 2014 02:41:17 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32671#M23933 Register_Security 2014-05-13T02:41:17Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32672#M23934 <HTML><HEAD></HEAD><BODY><P>Please post a screenshot of the security policy that permits ping. </P></BODY></HTML> Tue, 13 May 2014 04:22:52 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32672#M23934 jvalentine 2014-05-13T04:22:52Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32673#M23935 <HTML><HEAD></HEAD><BODY><P>Hi all</P><P>for me it's look like a routing issue or something avoid the return of ping echo.</P><P>if you you want to deny incomplete flow, you need to let pass the first packet icmp in your case and wait for an response that cross again the firewall to be define as ping application however if the response is not seen then the flow will be categorize as incomplete. </P><P>in fact you cannot block incomplete flaw in your case unless you deny ping application or if you resolve your routing issue.</P></BODY></HTML> Tue, 13 May 2014 08:54:36 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-incomplete-application/m-p/32673#M23935 Gregoux 2014-05-13T08:54:36Z