Best Practice for insufficient-data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best Practice for insufficient-data

L5 Sessionator

Hi all,

 

What are you doing with traffic identify as "insufficient-data"?

I know we are supposed to do pcap and trying to identify if then create custom app but ... on real life 🙂

 

Although you have created a rule for denying all, insufficient-data still go through the firewall (like "unknown" traffic) inbound and outbound !! Most of this traffic is UDP.

    Can we create a rule for blocking it?

    What is the risk?

    Should be done by default ?

Please look the capture attached for an exemple.

 

Thx in advance for your help.

rule.png

log

 

V.

 

1 accepted solution

Accepted Solutions

Good evening, Vince,

 

well I would say it is individual. I just reviewed my home logs and see that, when I check "resolve hostname" for traffic logs with filter ( app eq insufficient-data ) I get lots of traffic logs, seemingly legit by looks of at least some URLs 🙂

 

Depends what and whom are you protecting, is such traffic expected? Capture some and find out what is it, wireshark is your friend 🙂

 

I would not block it because I suspect lots of really legit traffic will pass through stage of being evaluated as "insufficient data" before it passes all decoders. I would still focus my attention to zones, sources and destinations rather than apps when I am creating my policies. Apps are like userIDs, more useful for reporting than for granulation of rules, IMHO, allthough I've seen more than a few intensive app uses in RL security policy configurations.

 

Please use this above as a a personal opinion and not as a guide 🙂

 

Regards

 

Luciano

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi Vince,

 

insufficient data is what it is, insufficient amount of information and therefore we are not able to reliably determine application. There is a difference between unknown, incomplete, or insufficient data: unknown was evaluated but it is not known, incomplete and/or insufficient data were short of enough packets for us to be certain what is the application. In particular, incomplete app will be when it didn't complete TCP handshake, while insufficient data will usually be app that completed TCP handshake but didn't pass enough packets in both directions for us to determine with certainty what was the app.

 

So... it goes like something this, generally:

1-3 packets exchanged ---> incomplete, because not even TCP handshake was completed

4-10 packets exchanged ---> insufficient data, because TCP was completed but we did not see enough packets to precisely determine what application is it

11-more packets exchanged ---> if we can't determine what is the app, it is marked as "unknown"

 

Generally, if there is a lots of insufficient data you want to find out what is it and why, on the other hand - if you have other profiles set up for the firewall - it should not be a big deal. The best would still be to take packet captures, and I would do it manually and investigate immedietaly, rather than setting up automated pcap collection (as we do for viruses, for example).

 

Regards

 

Luciano

Hi Luky,

 

Thx for your answer. I 100% agree with you but.

But in real life, maybe you don't have time to spend all day on your palo for analysing "insufficient data".

 

Then, what can be the impact if you add "insufficient data" in a rule and deny it ?

Does anybody do that ?

Is it not more secure to block by default then allow if needed ?

 

Thx in advance for sharing your experience.

 

V.

Good evening, Vince,

 

well I would say it is individual. I just reviewed my home logs and see that, when I check "resolve hostname" for traffic logs with filter ( app eq insufficient-data ) I get lots of traffic logs, seemingly legit by looks of at least some URLs 🙂

 

Depends what and whom are you protecting, is such traffic expected? Capture some and find out what is it, wireshark is your friend 🙂

 

I would not block it because I suspect lots of really legit traffic will pass through stage of being evaluated as "insufficient data" before it passes all decoders. I would still focus my attention to zones, sources and destinations rather than apps when I am creating my policies. Apps are like userIDs, more useful for reporting than for granulation of rules, IMHO, allthough I've seen more than a few intensive app uses in RL security policy configurations.

 

Please use this above as a a personal opinion and not as a guide 🙂

 

Regards

 

Luciano

  • 1 accepted solution
  • 19109 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!