Handling Unknown TCP iSCSI traffic

Reply
L3 Networker

Handling Unknown TCP iSCSI traffic

I have  a Dell Equalogic SAN that is replication to an offsite location. The traffic is sent over via a VPN tunnel (Certificate based). This traffic is being reported as unknown tcp. I can verify that the traffic in question is in fact the SAN traffic as the source and destination matches. I also read that the PA normally flags certificate based VPN as unknown. I need to get this traffic reported as a correct application as unknown is hard to manage and add to the fact that PA recommends blocking unknown TCP traffic. I also need to create a QoS rule so that this traffic is provided a higher priority. 

 

I believe what I am needing to create is an Application override based on some of the articles here. Assuming this is correct and will provide me with the requirements; I need to have several IP addresses in this policy. Can I create an application group with a subnet; for example, all SAN traffic is outbound on 10.0.52.x (10.0.52.1-10.0.52-9) or do I have to create the group with each IP address?

 

If this is not the ideal solution or will not provide the results I am seeking, can you provide me with the KB or solution that would?  Thank you.

L7 Applicator

Re: Handling Unknown TCP iSCSI traffic

Hi

 

If the application can be identified by matching a string of characters in the session a custom app with a custom signature would do the trick

If the traffic has no identifyable markers, an app override would allow you to set the application manually. the app override rule can have address objects both as source and destination. these address objects can be a single IP, a subnet or an IP range

 

 

please check out these articles:

 

Getting Started: Custom applications and app override

How to Configure a Custom App-ID

Pro-Tips: Unknown Applications

L3 Networker

Re: Handling Unknown TCP iSCSI traffic

 

 

 

 

I created a new application and configured the settings to idenfity any traffic that is using port 3260 (tcp/3260); however, I am still seeing "unknown-tcp" in the monitor logs. I do not believe I can use a signature or at least in the examples I found as the data is encrypted (IPsec), so there is no Get statement in the TCP segment. Only traffic that is on 3260 is iSCSI and needs to be identified.

Capture.JPG

 

Capture1.JPG

L3 Networker

Re: Handling Unknown TCP iSCSI traffic

Disregard. Deteremine that I had to also create a application override. Once that was in place, traffic is now identify correctly. Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!