topic Re: Almost all traffic identified as unknown-tcp? in General Topics

Almost all traffic identified as unknown-tcp?

apackard — Tue, 12 Jun 2018 19:31:39 GMT

We are seeing some of our Palo's periodically logging (almost) all traffic as unknown-tcp.

As the traffic is being allowed through (and logged against) rules that do not allow it we assume this is a problem with the logs, rather than traffic being miscategorised. However we do seem to be be experiencing some random issues that may, or mayt not be connected.

Rebooting the Palo seems to clear the problem.

Just wondering if anyone else has see this (we are 8.1.1) before opening a support call.

Re: Almost all traffic identified as unknown-tcp?

BPry — Tue, 12 Jun 2018 20:16:55 GMT

@apackard,

I've been running 8.1.1 on some lab equipment and at home for a bit and haven't seen this issue at all; further I haven't heard of anyone else experiancing an issue like this running 8.1.*.

That being said you probably want to open a ticket simply to at least provide PA with the logs so that they can see why you are experiancing this issue.

Re: Almost all traffic identified as unknown-tcp?

m_izk — Thu, 02 Aug 2018 11:50:18 GMT

Did that the problem get fixed?

Our customer is facing with the same problem as you. (ver. 8.1.1 , pa-3020.)

As you said, rebooting the Palo seems to clear the problem.

Re: Almost all traffic identified as unknown-tcp?

apackard — Thu, 02 Aug 2018 11:54:10 GMT

Fraid not - we're currently escalaing this with Palo.

In a way it's good to know others are impacted by this as we're being told it's never been seen before.

Interestingly for us we see this much more in our US locations - we have same hardware, same OS version, same rules in EU and Asia locations and we're seeing 90% less unknown trafic types being logged.

Re: Almost all traffic identified as unknown-tcp?

david.myers — Wed, 17 Oct 2018 20:35:55 GMT

Checking to see if you ever heard back from TAC on this issue.