topic Re: Unnown-TCP application "commvault" in General Topics

Unnown-TCP application "commvault"

inzamam.shahid — Mon, 19 Sep 2016 20:58:04 GMT

Hi Guys,

I hope you guys can help with classifying unknown traffic.

I have read many forums for this topic none of which answer my specific question. I understand that should create a custom app if your application bespoke and it is unlikely that an APP-ID would be created.

However, I am expereincing an issue with an application called "commvault" the firewall already recognises this app, but my rule does not work as the traffic is being identified as "unknown-tcp" I do not understand if the firewall already reconises this app why is this being recognised as unknown. Can you also share with me the correct procedure of getting the traffic classified as "commvault" application?

I already have PCAPS from the firewall, but do not know where this should be raised.

Many Thanks,

Re: Unnown-TCP application "commvault"

Brandon_Wertz — Mon, 19 Sep 2016 21:10:11 GMT

Can you share the traffic log of the "commvault" traffic and the "unkown-tcp" traffic?

Re: Unnown-TCP application "commvault"

bmorris1 — Tue, 20 Sep 2016 08:29:24 GMT

Hi,

In this situation, if an app signature has been created but is not recognising the app correctly then your best bet is to raise a case with TAC, they are very helpful in assisting you so that the right data is gathered and getting the signature modified accordingly so that it is recognised.

You could try and create a custom application for this as well:

https://live.paloaltonetworks.com/t5/Tech-Notes/Custom-Application-Signatures/ta-p/58625

hope this helps,

Ben

Re: Unnown-TCP application "commvault"

reaper — Tue, 20 Sep 2016 09:04:31 GMT

yes, please share traffic logs and if possible, please show your security policy

it is possible the version of commvault you are running differs from the traffic pattern included in the AppID version of commvault.

(this can be due to a new updte to commvault or a deployment not seen before by our AppId team,...) if that is the case you'd need to open a support ticket to have the behavior of your commvault app verified and appid updated to include it's patern

Re: Unnown-TCP application "commvault"

inzamam.shahid — Tue, 20 Sep 2016 11:12:43 GMT

Please see traffic log and the rules that have been created for this.

Please let me know if you guys believe this is correct and if the support route still needs to be followed.

Re: Unnown-TCP application "commvault"

reaper — Tue, 20 Sep 2016 12:18:58 GMT

you're hitting a deny rule

if you create a security policy that matches the source and destination IP, but leaves the application as any (temorarily), do you still see unknown-tcp ?

Re: Unnown-TCP application "commvault"

inzamam.shahid — Tue, 20 Sep 2016 13:33:05 GMT

This is what I am failing to understand on why it is hitting that deny rule. That deny rule is number 800 in the rule set.

The commvault rules are 600 in the rule set. In the screenshot, that I provided "commVault Media Agent to Ping" & "New Backup Networks" are basically any any rules just set to specfic IP's. They let any application over any service go through. I have checked the correct zones and IP's are in the rule.

When I do a a security policy match from the CLI, the rule matches rule called "NEW BACKUP NETWORKS-app" so I do not understand why unknown-tcp is being hit.

Re: Unnown-TCP application "commvault"

Brandon_Wertz — Tue, 20 Sep 2016 14:04:24 GMT

That's what @reaper was trying to help figure out.

As he stated it's possible there was an update to the APP-ID packge which changed how "commvault" is being idenfitied in your firewall, and while you've properly configured your security policy to use the application it's not matching for that reason.

So he was asking does it match L3 IP-IP (with applicable zones). Then when introducing the L7 application control is it matching or not.

Re: Unnown-TCP application "commvault"

Anita2020 — Wed, 19 May 2021 15:16:13 GMT

Hello,

Good Evening,

Please go through this link: https://documentation.commvault.com/commvault/v11/article?p=8572.htm

I hope the above link will help you.

Thanks & Regards,

Anita

Re: Unnown-TCP application "commvault"

parablu — Tue, 07 May 2024 09:45:27 GMT

"Unknown-TCP" traffic from Commvault refers to network traffic generated by Commvault software that is using TCP (Transmission Control Protocol) but is unrecognized or unidentified by the network monitoring system.
This type of traffic can occur due to various reasons such as custom configurations, non-standard ports, or unexpected communication patterns.

Understanding and scrutinizing this traffic is crucial for network security and performance management, ensuring it doesn't compromise network integrity or impede data backup processes.