We see a lot of 'insufficient-data' traffic on our firewall and we couldn't find any reason so far. Does anyone have a good idea on how we can troubleshoot the issue?
If we click on the insufficient-data bar we get redirected to the ACC but it doesn't show much there...
Insufficient data in the application field usually means that there was not enough data to identify the application. For example, if the 3-way TCP handshake was completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.
You can try to filter the traffic logs based on the application filter set to 'Insufficient data' and see what traffic it is.
You can refer to this doc:
Thank you. We tried that already. When we filter for 'insufficient-data' for the time frame above (18:30 - 00:30) we get a result set of only 41 rows. Each row reports only ~900 bytes up to 1.5 KB of data. If we sum that up, we get a maximum of 60 KB of insufficient data for these 6 hours.
If you look at the amount of insufficient-data in the first picture, you see that there are more than 2 GB of insufficient data in the mentioned time frame...
As much as I hate to say it, the "insufficient data" is showing up because part of the traffic is being dropped, and thus it is unable to determine what app is really being used.
Sometimes creating an "open" rule to allow the traffic, monitoring for that traffic, properly identifying the traffic, and then allow the traffic being specific helps.
This is because we do not look at the TCP handshake to determine what app is being used.. so that might work, but not the true "data", thus it shows up as Insuffient data.
Hmm, so that means we'd have to set our last rule (Deny and log everything else) to "allow"? Sounds not like a charming solution, hehe :smileygrin:
It is only recommended to do that for a short period of time. Sort of a Discovery of the network. Then you can narrow down the rule to just what you want/need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!