https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340942#M85545 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104297">@deepak12</a>,</P> <P>What type of traffic are you actually seeing this on? It wouldn't be uncommon to see something developed internally have an unknown-tcp/udp determination, but if it's traversing the untrust/internet interface that's different.&nbsp;</P> <P>In any case, it usually means that the firewall either didn't pass enough traffic to identify the app-id, or an app-id simply doesn't exist for the traffic.&nbsp;</P> Mon, 27 Jul 2020 20:47:16 GMT BPry 2020-07-27T20:47:16Z https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340921#M85540 <P>Hi All ,</P><P>&nbsp;</P><P>I am having policy&nbsp; having application group and set services as application default .</P><P>&nbsp;</P><P>Sometime policy is working fine but sometime its dropping packet and in logs showing application&nbsp; unknown UDP.</P><P>&nbsp;</P><P>Could you please suggest any troubleshooting steps here ? I did packet capture but not seeing any this specific which can indicate any issue on firewall end .</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Mon, 27 Jul 2020 19:02:14 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340921#M85540 deepak12 2020-07-27T19:02:14Z https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340942#M85545 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104297">@deepak12</a>,</P> <P>What type of traffic are you actually seeing this on? It wouldn't be uncommon to see something developed internally have an unknown-tcp/udp determination, but if it's traversing the untrust/internet interface that's different.&nbsp;</P> <P>In any case, it usually means that the firewall either didn't pass enough traffic to identify the app-id, or an app-id simply doesn't exist for the traffic.&nbsp;</P> Mon, 27 Jul 2020 20:47:16 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340942#M85545 BPry 2020-07-27T20:47:16Z https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340950#M85547 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;,</P><P>It's syslog traffic . Moreover for same set of source and destination IP , its working fine , properly identifying the APP-id.</P><P>I am using default syslog app-id .</P> Mon, 27 Jul 2020 20:58:54 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/340950#M85547 deepak12 2020-07-27T20:58:54Z https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/341076#M85582 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104297">@deepak12</a>,</P> <P>Interesting. I've never actually had the firewall fail to identify syslog traffic across the default 514 port, but I have if I customize the port without creating a custom application or doing an application-override see it come across as unknown-udp.&nbsp;</P> <P>Personally, I would take a packet capture of the traffic when it comes across as unknown-udp and see if you can notice any sort of difference with the traffic. If you aren't seeing anything I would try to capture the traffic and open up a TAC case for review.</P> Tue, 28 Jul 2020 16:12:44 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/341076#M85582 BPry 2020-07-28T16:12:44Z https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/341131#M85598 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks , I will check with Tac and update here with findings .</P> Tue, 28 Jul 2020 21:10:31 GMT https://live.paloaltonetworks.com/t5/general-topics/getting-intermittent-unknown-udp-traffic-logs/m-p/341131#M85598 deepak12 2020-07-28T21:10:31Z