topic Re: Application is Incomplete in General Topics

Application is Incomplete

rbrogdon — Fri, 02 Jul 2010 20:41:05 GMT

In the monitor log, what does it mean when it shows Incomplete under the Application?

I am blocking incoming RDP and everything works fine (Action = Deny) as long as it sees it as MS-RDP or T.120 but I am seeing some traffic shown as Action = Allow on port 3389 when Application = Incomplete.

How would I block take traffic?

Re: Application is Incomplete

swhyte — Fri, 02 Jul 2010 21:07:52 GMT

Hello,

incomplete means that either the three way tcp handshake did not complete or the three way tcp handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.

Regarding your second question, you do still have the option to block the port/service completely on the pan device.

thank you,

Stephen

Re: Application is Incomplete

rbrogdon — Tue, 06 Jul 2010 16:23:30 GMT

You state that I do still have the option to block the port/service completely on the pan device, question is how? I can't block it based in application so do I have to add a new service with the port 3389 and then use that to specify the block?

Re: Application is Incomplete

mjacobsen — Tue, 06 Jul 2010 20:18:55 GMT

In order to block all packets (even before App-ID is done), you would put the desired ports into a service and add that to a deny rule. However, if you are trying to allow RDP on 3389, then this will not work. The incomplete sessions are showing you that an initial connection came up but stopped during or immediately after the TCP handshake. You can't block the TCP handshake and also allow an app on the same port.

Mike

Re: Application is Incomplete

psimilien_1 — Tue, 30 Aug 2011 15:56:14 GMT

So how do you fix the handshake issue with TCP droping on RDP session?

Re: Application is Incomplete

Colp — Wed, 05 Oct 2011 15:42:29 GMT

I'm having a similar issue. Some of our camera monitoring system traffic is showing as incomplete, the rest is showing as a threat from abnormal extra data and is being blocked. As soon as we block the port we lose our cameras, but if we leave them up we constantly get incompletes in the monitor and 43,000+ daily hits as a threat.