https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43402#M31840 <HTML><HEAD></HEAD><BODY><P>Hello mikand,</P><P></P><P>Thanks for reply. </P><P></P><P>As you wrote "insufficient-data' means that is not enough data packets for identifying the application. I think insufficient-data, not to be identified app-id, was undecided application on session browser.</P><P></P><P>However in my case, UNDECIDED traffic had got so many packets and data exceed over about 1.3GB on session browser. Its traffic could be insufficient-data? I suspect that.</P><P></P><P>When captured PCAPs, the traffic was recognized NFS protocol on wireshark.</P><P></P><P>Thanks.</P><P>Regards.</P><P>Roh.</P></BODY></HTML> Wed, 04 Jul 2012 07:37:18 GMT ttongfly 2012-07-04T07:37:18Z https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43400#M31838 <HTML><HEAD></HEAD><BODY><P>Hello guys.</P><P></P><P>I have some question about APP-ID.</P><P></P><P>For session browser, PAN recognized application was UNDECIDED and traffic was passed and state was ACTIVE. so traffic was not dropped but why PAN could not recognized application properly and recognizing UNDECIDED that means PAN could not identified APP-ID for its traffic.</P><P></P><P>1. Why PAN could not recognized properly app-id and session browser showed app-id was UNDECIDED?</P><P>2. What is UNDECIDED mean exactly on session browser?</P><P>3. UNDECIDED application traffic has got a so many packets (of course this traffic over the 7 packets that could do identifying app-id)&nbsp; and bytes. so I think PAN should recognize this traffic as a proper app-id.</P><P></P><P>Please let me know why did PAN recognize UNDECIDE as a app-id on session browser.</P><P></P><P>Thanks.</P><P>Regards.</P><P>Roh.</P></BODY></HTML> Wed, 04 Jul 2012 05:38:29 GMT https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43400#M31838 ttongfly 2012-07-04T05:38:29Z https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43401#M31839 <HTML><HEAD></HEAD><BODY><P>Undecided?</P><P></P><P>According to the admin guide an app can be "unknown" where the reason can be either "incomplete" or "insufficient-data".</P><P></P><P>Where "incomplete" means that a handshake took place but no data packets were sent prior to the timeout.</P><P></P><P>And "insufficient-data" means that a handshake took place followed by one or more data packets. However not enough data packets were exchanged to identify the application.</P><P></P><P>To fix this you can either create a custom appid or contact PA to make it into the common appid database:</P><P></P><P>You can request app enhancement from the Apps and Threats Research Center.</P><P></P><P><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/researchcenter/tools/">http://www.paloaltonetworks.com/researchcenter/tools/</A></P><P></P><P>From there you can click on Submit an app and provide details there.</P><P></P><P>In your case to answer why the PA didnt identify your traffic you would need to provide either the forum, or better, the appid request team with a pcap.</P></BODY></HTML> Wed, 04 Jul 2012 06:15:09 GMT https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43401#M31839 mikand 2012-07-04T06:15:09Z https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43402#M31840 <HTML><HEAD></HEAD><BODY><P>Hello mikand,</P><P></P><P>Thanks for reply. </P><P></P><P>As you wrote "insufficient-data' means that is not enough data packets for identifying the application. I think insufficient-data, not to be identified app-id, was undecided application on session browser.</P><P></P><P>However in my case, UNDECIDED traffic had got so many packets and data exceed over about 1.3GB on session browser. Its traffic could be insufficient-data? I suspect that.</P><P></P><P>When captured PCAPs, the traffic was recognized NFS protocol on wireshark.</P><P></P><P>Thanks.</P><P>Regards.</P><P>Roh.</P></BODY></HTML> Wed, 04 Jul 2012 07:37:18 GMT https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43402#M31840 ttongfly 2012-07-04T07:37:18Z https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43403#M31841 <HTML><HEAD></HEAD><BODY><P>Have you tried putting NFS protocol/App on your block list/filter?. Then try capturing sessions if "undecided" still shows up.</P></BODY></HTML> Fri, 06 Jul 2012 00:02:56 GMT https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/43403#M31841 Kali 2012-07-06T00:02:56Z https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/594747#M118377 <P><STRONG>Security Rule Behavior with Applications Allowed with Service 'Any'</STRONG><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVmCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVmCAK</A><BR /><BR /><STRONG>Why do Sessions Show Application "Undecided" When in ACTIVE State but have an App When Moved to DISCARD State?</STRONG><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLK0CAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLK0CAO</A><BR /><BR />These are the ones that helped me to understand it!</P> Tue, 13 Aug 2024 13:31:25 GMT https://live.paloaltonetworks.com/t5/general-topics/about-undecided-application/m-p/594747#M118377 paulocamargoagility 2024-08-13T13:31:25Z