Lot of 'insufficient-data'

Reply
Highlighted
L4 Transporter

Lot of 'insufficient-data'

Hello,

We see a lot of 'insufficient-data' traffic on our firewall and we couldn't find any reason so far. Does anyone have a good idea on how we can troubleshoot the issue?

If we click on the insufficient-data bar we get redirected to the ACC but it doesn't show much there...

Insufficient-data.jpg

Insufficient-data2.jpg

Thanks,

Oliver

Tags (2)
Highlighted
L4 Transporter

Re: Lot of 'insufficient-data'

Insufficient data in the application field usually means that there was not enough data to identify the application. For example, if the 3-way TCP handshake was completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.


You can try to filter the traffic logs based on the application filter set to 'Insufficient data' and see what traffic it is.

You can refer to this doc:

Incomplete, Insufficient data and Not-applicable in the application field

Highlighted
L4 Transporter

Re: Lot of 'insufficient-data'

Thank you. We tried that already. When we filter for 'insufficient-data' for the time frame above (18:30 - 00:30) we get a result set of only 41 rows. Each row reports only ~900 bytes up to 1.5 KB of data. If we sum that up, we get a maximum of 60 KB of insufficient data for these 6 hours.

If you look at the amount of insufficient-data in the first picture, you see that there are more than 2 GB of insufficient data in the mentioned time frame...

Highlighted
Community Team Member

Re: Lot of 'insufficient-data'

As much as I hate to say it, the "insufficient data" is showing up because part of the traffic is being dropped, and thus it is unable to determine what app is really being used.

Sometimes creating an "open" rule to allow the traffic, monitoring for that traffic, properly identifying the traffic, and then allow the traffic being specific helps.

This is because we do not look at the TCP handshake to determine what app is being used.. so that might work, but not the true "data", thus it shows up as Insuffient data.

Stay Secure,
Joe
End of line
Highlighted
L4 Transporter

Re: Lot of 'insufficient-data'

Hmm, so that means we'd have to set our last rule (Deny and log everything else) to "allow"? Sounds not like a charming solution, hehe :smileygrin:

Highlighted
Community Team Member

Re: Lot of 'insufficient-data'

It is only recommended to do that for a short period of time. Sort of a Discovery of the network.  Then you can narrow down the rule to just what you want/need.

Stay Secure,
Joe
End of line
Highlighted
L4 Transporter

Re: Lot of 'insufficient-data'

Okay, we'll try that the next weekend. I'll post the result here next week.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!