09-22-2019 08:42 AM
I have seen this so many times and I am wondering who you deal with it efficiently when making a rule.
I see a standard port of like 443 or 8080 but with a rule that has application defined as SSL or web-browsing it doesn't hit the rule due to the application not matching. I have also see port 8080 show as application ssl.
So what are the best practices for making these rules for applications incomplete or non applicable?
09-22-2019 06:57 PM - edited 09-23-2019 07:36 AM
Usually, when you see "not-applicable" in the application field in traffic logs it means that the firewall is actually denying traffic based on legacy attributes like source and destination IPs and ports and not the next-generation attributes like the application. This is totally normal, because remember rules are applied from left to right, so the firewall first matches the legacy attributes in order to try to filter as much traffic as it can using the least resources possible. If traffic matches source and destination IPs and ports (and zones), then the firewall starts matching the application and other harder-to-identify elements like the URL category.
All of this is normal and it's done so the firewall doesn't waste resources trying to identify the application for a session that is going to be discarded (denied/dropped) anyways because it didn't pass the basic filtering (based on IPs and ports). So, unless you're having problems with legitimate traffic being dropped or denied way too early during processing and you're seeing "not-applicable" as a result of this, there nothing you should do, as your firewall is working as it should.
Useful docs on this:
Not-applicable in Traffic Logs
Not-Applicable, Incomplete, Insufficient Data in the Application Field
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!