I have a few security policies (below) and did some testing on them, and found the traffic log displaying some interesting results; I have an idea of why this shows up in the log, but may be somebody more experienced can confirm.
I have a rule that allows DNS application, any port:
and a rule below that allows any outbound traffic:
When looking at the traffic log, it looks like traffic to port 80, 443, for tries the DNS rule and application status is Incomplete, then it closes the session with the second rule, which is the one actually allowing the traffic.
If, on the DNS rule I specify both, the application and the port numbers - TCP 53 and UDP 53, traffic to other ports are not showing as attempting this rule anymore and going straight to the second rule.
Can somebody explain this behaviour, please?
Solved! Go to Solution.
You have to first understand how App-ID works, then you will understand what is going on here.
Notice how the application is "incomplete" at first? This means that there was not enough data to determine what application was in use, normally this means the handshake (Syn, Syn-Ack, Ack) has happened, or less, but no real data has been sent. Until that happens, the application is "incomplete" or "unknown". Because of this, it will take the first rule that it can, to start the connection, but as soon as the application can be determined, then it will drop to the rule that matches the Application in use.
I hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!