This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Identifying unknown-tcp in Monitor tab

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Identifying unknown-tcp in Monitor tab

ClintL
L2 Linker

‎07-30-2014 11:48 AM

Hello,

We have a PA-3020 running 6.0.3.  Basically we have iSCSI replication set up between two sites.  When I pull up the traffic in the Monitor tab I see the picture below.  Even though iSCSI traffic is defined in the Applications section I tried creating another app to identify it but still see the "unknown-tcp" traffic show up.  Is there something I am missing or is it not possible to change what it pulls up in Monitor?

iscsi.png

Labels:
0 Likes Likes
13 REPLIES 13

HULK
L7 Applicator

‎07-30-2014 12:27 PM

A reference DOC for this : Incomplete, Insufficient data and Not-applicable in the application field

Thanks

0 Likes Likes

ClintL
L2 Linker
In response to HULK

‎07-30-2014 02:39 PM

Hey Hulk,

Is there a way though to tell the Palo that any unknown-tcp traffic on port 3260 from specific zones will be classified as iSCSI?

0 Likes Likes

j.liu
L4 Transporter
In response to ClintL

‎07-30-2014 02:42 PM

Custom app signature

Custom Application Signatures

NGFW Customer Success Engineer, Palo Alto Networks
0 Likes Likes

HULK
L7 Applicator
In response to ClintL

‎07-30-2014 02:49 PM

Hello Clint,

As J.liu said, you need to configure a custom application signature to identify traffic on port 3260. Secondly, need a security policy in place  from specific zones to allow that traffic.

Hope this helps.

Thanks

0 Likes Likes

RichardThornton
Not applicable

‎07-30-2014 05:15 PM

For iSCSI, I would be using an application override, essentially fast-pathing it which is what you would want to do with low-latency traffic.

The CNSE Study Guide page 34 gives the config steps.

0 Likes Likes

HULK
L7 Applicator
In response to RichardThornton

‎07-30-2014 07:24 PM

Hello Clint,

As per my understanding, the default application iSCSI is using TCP 3260. Then, why you want to use a custom app for this..?  Better, you should use the previously mentioned DOC to get the exact reason.

Thanks

0 Likes Likes

ClintL
L2 Linker
In response to HULK

‎07-31-2014 05:32 AM

Hey Hulk,

Honestly I don't know why it is not identifying the traffic as iSCSI.  It might be something proprietary with the vendor that is preventing the Palo from recognizing it even though it is coming across on 3260.  I just want to be able to see in the reports that it is iSCSI.  I will most likely end up programming both solutions.

Thanks for the answers, guys.  I'll give it a try today.

0 Likes Likes

HULK
L7 Applicator
In response to ClintL

‎07-31-2014 10:18 AM

Hello  Clint,

According to the screenshot you have attached here, it looks like the amount of data transferred between the Server and client is very low ( few KB). PAN firewall need at least 2000 Bytes of application data or minimum 4 packets to identify an application signature correctly. So, could you please check how many packets has been exchanged through those sessions.

session-magnifying glass.jpg


session-rx-tx-count.jpg


Insufficient data in the application field

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.

Thanks

0 Likes Likes

ClintL
L2 Linker
In response to HULK

‎07-31-2014 11:45 AM

I think there is something proprietary going on.  I created a custom app signature with tcp/3260, created an allow rule and the traffic stopped transmitting altogether but I wasn't getting any deny entries.  I'm just guessing but maybe when it isn't let through as is the Palo possibly strips out whatever proprietary info the data has and makes it unreadable to the iSCSI equipment on the other side.  I haven't tried the application override rule yet though.

iscsi2.png

0 Likes Likes

HULK
L7 Applicator
In response to ClintL

‎07-31-2014 12:53 PM

Hello Clint,

It's looks like the firewall passing a good amount of traffic, but still not able to identify the correct application-signature. Do you have a chance to take a packet capture. We can relay that PCAP through a  LINUX REPLAY server and let you know if you need to contact with PAN support to open an App-ID BUG.

In the mean time, you may also try app-override once.

Thanks

0 Likes Likes

jharlow
L3 Networker

‎04-15-2015 02:31 PM

Did you ever get this one resolved?  I have a newly configured PA-500 and noticed the same issue for our iSCSI traffic. It is a Dell EqualLogic. There is already a Application ID for iscsi for tcp/3260; however in our QoS reports it is shown as unknown-tcp

0 Likes Likes

pulukas
L7 Applicator
In response to jharlow

‎04-16-2015 06:20 PM

For traffic like iSCSI your best bet is to get this into a segregated vlan that does not transit routers and firewalls if at all possible.

If it must transit the PA, create an application override to improve performance and insure there is a little latency as possible on this traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

jharlow
L3 Networker
In response to pulukas

‎04-23-2015 08:52 AM

Hey Steven,

iSCSI traffic has been segregated into its own network (own switch); however, we do send bits over our firewall/routers for replication. The traffic is coming and going between our network here and our offsite location.  As one could imagine, this data is appearing in all of the reports and typically on the top5 due to the about of bits being sent offsite (for DR).

0 Likes Likes
  • 5600 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks