https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4286#M3168 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>So you are saying that I can specify applications as well as port numbers in a single rule?? I had an issue, admittedly on a differnet os version, that it would not see the service ports or the applications when using them in the same rule - Cant remember which one. I ended up creating 2 differnet rules.</P></BODY></HTML> Fri, 28 Jan 2011 08:48:11 GMT hallk 2011-01-28T08:48:11Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4278#M3160 <HTML><HEAD></HEAD><BODY><P>I am currently only allowing ssl and web-browsing applications to a specific server. If I do a "telnet x.x.x.x 3389" it connects even though the rule should not allow this. I would think that the application filter is unable to block this due to the application coming up as insufficient-data or incomplete.</P><P>How do I block this??</P></BODY></HTML> Thu, 27 Jan 2011 13:47:57 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4278#M3160 hallk 2011-01-27T13:47:57Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4279#M3161 <HTML><HEAD></HEAD><BODY><P>Hi There,</P><P></P><P>Probably once the telnet is sucessful no further commands can be initiated as the application telnet will be picked up - it is not always immediate, since you need a little info to identify the application.&nbsp; It would be worth checking this doc out:</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1628">https://live.paloaltonetworks.com/docs/DOC-1628</A></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 27 Jan 2011 14:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4279#M3161 James 2011-01-27T14:00:15Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4280#M3162 <HTML><HEAD></HEAD><BODY><P>Hi James</P><P></P><P>Thanks for the reply, however we were able to run a couple of commands and get some info. The logs showed the app as either incomplete or insufficient-data during the running of these commands.</P></BODY></HTML> Thu, 27 Jan 2011 14:18:58 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4280#M3162 hallk 2011-01-27T14:18:58Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4281#M3163 <HTML><HEAD></HEAD><BODY><P>Hi Hallk,</P><P>are you using "any" in the Service field for web-browsing and ssl applications?</P><P></P><P>If so, it can be beneficial to specify specific or default ports for the applications being allowed. If the service is defined as “any” , all sessions must be allowed to start so the system can see if the correct application is running on them. If the service is anything but “any” , then many unwanted connections can be dropped immediately.If the traffic and resulting application does not match any rule, the session will be dropped.</P></BODY></HTML> Thu, 27 Jan 2011 14:29:45 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4281#M3163 migration 2011-01-27T14:29:45Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4282#M3164 <HTML><HEAD></HEAD><BODY><P>Then I would probably need to see your complete rulebase to find the answer - can you see which rule the traffic is hitting?&nbsp; Is it the one you expected?</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 27 Jan 2011 14:33:50 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4282#M3164 James 2011-01-27T14:33:50Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4283#M3165 <HTML><HEAD></HEAD><BODY><P>Also a concern is that you are able to run port scan and the report will tell you what ports the box is listening on.</P></BODY></HTML> Thu, 27 Jan 2011 14:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4283#M3165 hallk 2011-01-27T14:59:43Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4284#M3166 <HTML><HEAD></HEAD><BODY><P>This depends on your configuration.&nbsp; Maybe you need to be in contact with your local SE to spend some time with you on these tests?</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 27 Jan 2011 15:22:28 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4284#M3166 James 2011-01-27T15:22:28Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4285#M3167 <HTML><HEAD></HEAD><BODY><P>It is hitting a rule allowing web-browsing and ssl aplications.</P><P>TCP 3389 is definitely not allowed on any rules.</P></BODY></HTML> Fri, 28 Jan 2011 08:39:41 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4285#M3167 hallk 2011-01-28T08:39:41Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4286#M3168 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>So you are saying that I can specify applications as well as port numbers in a single rule?? I had an issue, admittedly on a differnet os version, that it would not see the service ports or the applications when using them in the same rule - Cant remember which one. I ended up creating 2 differnet rules.</P></BODY></HTML> Fri, 28 Jan 2011 08:48:11 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4286#M3168 hallk 2011-01-28T08:48:11Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4287#M3169 <HTML><HEAD></HEAD><BODY><P>Hi There,</P><P></P><P>I am not sure where you saw the problem - but you can indeed use the application and service column for "extra" security in the same rule.&nbsp; This will mean the application must ONLY run over the ports you have defined in the service column, which maybe custom or the application-default setting.</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Fri, 28 Jan 2011 10:41:46 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4287#M3169 James 2011-01-28T10:41:46Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4288#M3170 <HTML><HEAD></HEAD><BODY><P>Thanks guys. Will do this and get the audit team to test again.</P></BODY></HTML> Fri, 28 Jan 2011 13:00:20 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4288#M3170 hallk 2011-01-28T13:00:20Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4289#M3171 <HTML><HEAD></HEAD><BODY><P>Thanks for the help. Tested and works perfectly.</P></BODY></HTML> Fri, 28 Jan 2011 14:13:25 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4289#M3171 hallk 2011-01-28T14:13:25Z https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4290#M3172 <HTML><HEAD></HEAD><BODY><P>Good news <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>You may want to look into zone protection, if your trying to protect against reconaissance too.</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Sat, 29 Jan 2011 16:04:13 GMT https://live.paloaltonetworks.com/t5/general-topics/insufficient-data-incomplete-application-in-logs-but-still/m-p/4290#M3172 James 2011-01-29T16:04:13Z