Application: Incomplete

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application: Incomplete

L2 Linker

Hi,

 

Does anyone have a suggestion on how to create a rule to catch Application incomplete? Now that traffic hits the first policy that allows traffic on that service (port). And it clogs the logs when looking at that rule and what has passes through it. My idea is to create a policy for an application that doesnt exist and add port 80 andd 443 as allowed services. Has anyone done this or have another suggestion?

 

Thanks,

 

Mikael

1 accepted solution

Accepted Solutions

In old days Palo's traceroute application had port 80 as standard port so I had top rule to permit outgoing traceroute and it collected all incompletes under it.

Now you probably should create some custom application on port 80 and allow this with top rule.

If this custom application has no signature and Palo identifies more specific one it has built in (like web-browsing) then your custom app will be overridden by built in signature.

But this first custom rule would catch incompletes.

 

Edit: Better yet - add some random signature to your custom rule so that it would never match. If you don't add then unknown-tcp might get through.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

You can't block incomplete because TCP has 3way handshake at beginning and if this does not complete or there is no traffic after 3way handshake then Palo logs this traffic as incomplete.

 

For example when you try to access external FTP server that is down at the moment then your computer sends out SYN packet.

Nothing comes back.

In log you see 1 packet sent, 0 packets received.

And application is incomplete.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

You could run report on machines that generate most incomplete sessions and might want to check why. Maybe they are infected with malware and are trying to call home and find C&C servers.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,

 

I think you misunderstood what I´m looking to do. I don´t want to block incomplete, I just want to get rid of all the clutter it generates when monitoring a policy. And that can be achieved with what I suggested in the first place. But even better would be having a checkbox in the log views to view/hide incomplete apps. The same can, of course, be achieved by filtering but I´d rather not have to add that to every filter I create.

 

//mikael

In old days Palo's traceroute application had port 80 as standard port so I had top rule to permit outgoing traceroute and it collected all incompletes under it.

Now you probably should create some custom application on port 80 and allow this with top rule.

If this custom application has no signature and Palo identifies more specific one it has built in (like web-browsing) then your custom app will be overridden by built in signature.

But this first custom rule would catch incompletes.

 

Edit: Better yet - add some random signature to your custom rule so that it would never match. If you don't add then unknown-tcp might get through.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I created a custom app with no signature and added port 80 & 443 to a policy with the custom app. And yes that worked fine. I think they should add a layered approach to filtering where you can set exclusions for incomplete apps (or what you´d like) at the top. Thanks for your input.

 

//Mikael

Be aware that now you allow every application that Palo does not recognize on those ports.

So if you have strickt list of apps you permit or block unknown-tcp then you should add random signature to the custom app.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

You can filter incomplete out today aswell.

(rule eq 'Allow all') and (app neq incomplete)

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I actually had a case with Palo on this and they didn´t think it would allow unknown tcp but the support said he´d need to verify with a senior techinician which I´ve yet to hear anything from. And I actually don´t have that policy enabled right now. I´ll just manually filter to get rid of what I don´t need to see.

 

I will add layered filtering as a feature request.

  • 1 accepted solution
  • 8944 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!