About undecided application.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About undecided application.

L3 Networker

Hello guys.

I have some question about APP-ID.

For session browser, PAN recognized application was UNDECIDED and traffic was passed and state was ACTIVE. so traffic was not dropped but why PAN could not recognized application properly and recognizing UNDECIDED that means PAN could not identified APP-ID for its traffic.

1. Why PAN could not recognized properly app-id and session browser showed app-id was UNDECIDED?

2. What is UNDECIDED mean exactly on session browser?

3. UNDECIDED application traffic has got a so many packets (of course this traffic over the 7 packets that could do identifying app-id)  and bytes. so I think PAN should recognize this traffic as a proper app-id.

Please let me know why did PAN recognize UNDECIDE as a app-id on session browser.

Thanks.

Regards.

Roh.

4 REPLIES 4

L6 Presenter

Undecided?

According to the admin guide an app can be "unknown" where the reason can be either "incomplete" or "insufficient-data".

Where "incomplete" means that a handshake took place but no data packets were sent prior to the timeout.

And "insufficient-data" means that a handshake took place followed by one or more data packets. However not enough data packets were exchanged to identify the application.

To fix this you can either create a custom appid or contact PA to make it into the common appid database:

You can request app enhancement from the Apps and Threats Research Center.

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

In your case to answer why the PA didnt identify your traffic you would need to provide either the forum, or better, the appid request team with a pcap.

Hello mikand,

Thanks for reply.

As you wrote "insufficient-data' means that is not enough data packets for identifying the application. I think insufficient-data, not to be identified app-id, was undecided application on session browser.

However in my case, UNDECIDED traffic had got so many packets and data exceed over about 1.3GB on session browser. Its traffic could be insufficient-data? I suspect that.

When captured PCAPs, the traffic was recognized NFS protocol on wireshark.

Thanks.

Regards.

Roh.

Have you tried putting NFS protocol/App on your block list/filter?. Then try capturing sessions if "undecided" still shows up.

Security Rule Behavior with Applications Allowed with Service 'Any'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVmCAK

Why do Sessions Show Application "Undecided" When in ACTIVE State but have an App When Moved to DISCARD State?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLK0CAO

These are the ones that helped me to understand it!

Sincerely,

Paulo Vinicius de Camargo
Security Engineer
+55 11 99955-5435
paulo.camargo@somosagility.com.br
somosagility.com.br
  • 6791 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!