my questions deals with the application detection. As far as I know the heuristic engine is the last possibility after application signature and decoders weren't successful.
But does anybody know how much traffic (bytes or packets) will/can run through a PAN before the heuristic engine gives and the application is set to "unknown"?
Page 2 at http://media.paloaltonetworks.com/documents/App_ID_tech.pdf have a brief description on whats going on inside a PA device when a packet arrives.
I have seen numbers of 14 and up to 20 packets being mentioned before final decision that a flow is unknown, but I dont know if these figures are true or not. However it can go faster to decide that a session is unknown.
CS: "a b c\n\n"
SC: HTTP ERROR 400/Bad Request
= unknown (if im not mistaken).
In the above case there was only needed 2 packets (or 1 packet in each direction if we exclude the initial handshake) before the flow isnt recognised as any known application and because of that classified as unknown.
There are other cases aswell. For example if you start a session like DNS but in the middle start to do other things then the DNS decoder will not recognise the traffic and because of that switch the flow out of the DNS decoder and identify it as unknown. When next packet arrives the PA unit can take a new decision what kind of traffic is passing through (so you in the log can see how a single session hops between identified applications).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!