https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78268#M42878 <P>Hi</P> <P>&nbsp;</P> <P>If the application can be identified by matching a string of characters in the session a custom app with a custom signature would do the trick</P> <P>If the traffic has no identifyable markers, an app override would allow you to set the application manually. the app override rule can have address objects both as source and destination. these address objects can be a single IP, a subnet or an IP range</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>please check out these articles:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-override/ta-p/71635" target="_blank">Getting Started: Custom applications and app override</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Videos/How-to-Configure-a-Custom-App-ID/ta-p/55815" target="_self"> How to Configure a Custom App-ID</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Pro-Tips-Unknown-Applications/ta-p/77052" target="_blank"> Pro-Tips: Unknown Applications </A></P> Wed, 18 May 2016 07:10:49 GMT reaper 2016-05-18T07:10:49Z https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78256#M42875 <P>I have&nbsp; a Dell Equalogic SAN that is replication to an offsite location. The traffic is sent over via a VPN tunnel (Certificate based). This traffic is being reported as unknown tcp. I can verify that the traffic in question is in fact the SAN traffic as the source and destination matches.&nbsp;I also read that the PA normally flags certificate based VPN as unknown. I need to get this traffic reported as a correct application as unknown is hard to manage and add to the fact that PA recommends blocking unknown TCP traffic. I also need to create a QoS rule so that this traffic is provided a higher priority.&nbsp;</P> <P>&nbsp;</P> <P>I believe what I am needing to create is an Application override based on some of the articles here. Assuming this is correct and will provide me with the requirements; I need to have several IP addresses in this policy. Can I create an application group with a subnet; for example, all SAN traffic is outbound on 10.0.52.x (10.0.52.1-10.0.52-9) or do I have to create the group with each IP address?</P> <P>&nbsp;</P> <P>If this is not the ideal solution or will not provide the results I am seeking, can you provide me with the KB or solution that would?&nbsp; Thank you.</P> Tue, 17 May 2016 21:58:17 GMT https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78256#M42875 jharlow 2016-05-17T21:58:17Z https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78268#M42878 <P>Hi</P> <P>&nbsp;</P> <P>If the application can be identified by matching a string of characters in the session a custom app with a custom signature would do the trick</P> <P>If the traffic has no identifyable markers, an app override would allow you to set the application manually. the app override rule can have address objects both as source and destination. these address objects can be a single IP, a subnet or an IP range</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>please check out these articles:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-override/ta-p/71635" target="_blank">Getting Started: Custom applications and app override</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Videos/How-to-Configure-a-Custom-App-ID/ta-p/55815" target="_self"> How to Configure a Custom App-ID</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Pro-Tips-Unknown-Applications/ta-p/77052" target="_blank"> Pro-Tips: Unknown Applications </A></P> Wed, 18 May 2016 07:10:49 GMT https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78268#M42878 reaper 2016-05-18T07:10:49Z https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78322#M42905 <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I created a new application and configured the settings to idenfity any traffic that is using port 3260 (tcp/3260); however, I am still seeing "unknown-tcp" in the monitor logs. I do not believe I can use a signature or at least in the examples I found as the data is encrypted (IPsec), so there is no Get statement in the TCP segment. Only traffic that is on 3260 is iSCSI and needs to be identified.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4072iCACC9EF9DB156173/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture1.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4073i4EB8D458FBC1BACD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture1.JPG" alt="Capture1.JPG" /></span></P> Wed, 18 May 2016 16:55:45 GMT https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78322#M42905 jharlow 2016-05-18T16:55:45Z https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78327#M42907 <P>Disregard. Deteremine that I had to also create a application override. Once that was in place, traffic is now identify correctly. Thanks.</P> Wed, 18 May 2016 17:34:20 GMT https://live.paloaltonetworks.com/t5/general-topics/handling-unknown-tcp-iscsi-traffic/m-p/78327#M42907 jharlow 2016-05-18T17:34:20Z