topic Re: Incomplete traffic: custom appID and QoS in General Topics

Incomplete traffic: custom appID and QoS

LucaMarchiori — Fri, 16 Jun 2017 18:47:19 GMT

Hi,

I have traffic generated by Solarwinds NetPath probes that is tagged by the firewall as "incomplete".

I run a packet trace, and after the handshake, there are only TCP-keep-alive packets. I'd like to prioritize this traffic in QoS, currently I'm seeing high latency on NetPath at our busiest sites, and I'm thinking this may be because of QoS.

Now I cannot see "incomplete" as an app in QoS, so I have a couple of questions.

1. Is incomplete traffic being treated as unknown-tcp/udp?

2. Will I be able to create a custom AppID without an http stream I can base a signature on, to have QoS apply to this traffic?

Thanks,

Luca

Re: Incomplete traffic: custom appID and QoS

acc6d0b3610eec313831f7900fdbd235 — Fri, 16 Jun 2017 19:43:29 GMT

Hi @LucaMarchiori

In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application.

When this type of application is seen inside the organization, there's a good chance this is benign traffic: maybe a homebrew backup or a scripted maintenance task. If these show up on sessions going out to, or coming in from the internet, they should be a reason for concern.

https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052

In other words, "Incomplete" is not an application and that's why it is not going to be showed in the "Application" column when you create a security rule or QoS rule.

My recommendation is that in this case, you create a security policy and QoS policy applying the "Solarwinds" app-id signture to it, then it may take care of this for you. Now if you don't want that traffic to go through the App-ID engine, I recommend that you create a Application Override Policy, so it will bypass the Application inspection. By doing that, you still can apply security profiles but the rule will be treated as stateful only.

I hope it makes sense.

Willian

Re: Incomplete traffic: custom appID and QoS

LucaMarchiori — Fri, 16 Jun 2017 22:04:55 GMT

@acc6d0b3610eec313831f7900fdbd235 wrote:

In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application.
When this type of application is seen inside the organization, there's a good chance this is benign traffic: maybe a homebrew backup or a scripted maintenance task. If these show up on sessions going out to, or coming in from the internet, they should be a reason for concern.
https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052

In other words, "Incomplete" is not an application and that's why it is not going to be showed in the "Application" column when you create a security rule or QoS rule.

My recommendation is that in this case, you create a security policy and QoS policy applying the "Solarwinds" app-id signture to it, then it may take care of this for you. Now if you don't want that traffic to go through the App-ID engine, I recommend that you create a Application Override Policy, so it will bypass the Application inspection. By doing that, you still can apply security profiles but the rule will be treated as stateful only.

Hi Willian,

In this case I'm positive that the traffic in question is benign, in fact, I'm trying to prioritize it. Sorry I don't undesrtand your suggestion of "create a security policy and QoS policy applying the "Solarwinds" app-id signture to it. I guess I can't think of how this could possibly work, since the firewall is not assigning an app tag in the first place.

Never used app override, but from a quick peek, it looks as though you need to create a custom appID first, which brings me back to my question 2. Maybe the only way to do this is to forget the app, and use a service based rule?

Re: Incomplete traffic: custom appID and QoS

acc6d0b3610eec313831f7900fdbd235 — Fri, 16 Jun 2017 22:22:03 GMT

@LucaMarchiori

If the firewall is not assigning the App -ID is because the application is potentially trying to run over a non-standard port. In this case you have to create your policy allowing the solarwinds application, but leave the service column as "Any", unless you know exactly over which port the service is running on.

Only creating a service based rule will not bypass the app-id engine. You have to create app override policy so that the app-id engine will not interfere with traffic. You assumption is correct, you have to create a custom app-id in order to create an app-override policy, but you still need to know over which port the service is running over.

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

Re: Incomplete traffic: custom appID and QoS

LucaMarchiori — Fri, 16 Jun 2017 22:32:35 GMT

I was just looking at that document you linked. 🙂 I know the port (443), port does not change, and the probes are sent just by a couple of servers.

So, if I create a custom appID (like in the example), with just dest. port tcp/443 but no signature, and then assign that custom app to override app policy (specifying correct source and dest IPs), you think that would work?

I'm not sure I'd define NetPath as an application, it's more like a TCP-based probe? It basically establishes a TCP connection over whatever port you specify, and then keeps the connection alive for a while, rinse and repeat. Which is probably why the firewall has a hard time giving it a name, there is not much to go on.

Re: Incomplete traffic: custom appID and QoS

acc6d0b3610eec313831f7900fdbd235 — Sat, 17 Jun 2017 01:11:49 GMT

@LucaMarchiori

NetPath is not specified as an application in the App-ID library. In this case you have to use the Solarwinds application in the security rule. According to this Solarwinds documentation below, NetPath is a feature of Solarwinds NPM, and by default displays NPM data and issues.

http://www.solarwinds.com/documentation/en/flarehelp/npm/content/npm-orion-integration-with-netpath.htm

I would configure the policy according to the screenshot below, based on your explanation and the requirements in the documentation above.

I am including the SSL application in case you are running the service over port 443, which seems to be the case. I am also leaving the Service as "ANY" in case the service using non-standard ports.

Re: Incomplete traffic: custom appID and QoS

LucaMarchiori — Sat, 17 Jun 2017 02:01:05 GMT

Thanks Willian. I'll give this a try on Monday and report back.

Re: Incomplete traffic: custom appID and QoS

LucaMarchiori — Mon, 19 Jun 2017 17:50:12 GMT

Hi Willian,

I have an existing security rule that already allows NetPath traffic. I created a QoS rule with the apps you listed, and I can see the rule showing up in Network > QoS > Statistics > QoS Rules. So maybe that's it?