Application is Incomplete

cancel
Showing results for 
Search instead for 
Did you mean: 

Application is Incomplete

Not applicable

In the monitor log, what does it mean when it shows Incomplete under the Application?

I am blocking incoming RDP and everything works fine (Action = Deny) as long as it sees it as MS-RDP or T.120 but I am seeing some traffic shown as Action = Allow on port 3389 when Application = Incomplete.

How would I block take traffic?

5 REPLIES 5

L4 Transporter

Hello,

incomplete means that either the three way tcp handshake did not complete or the three way tcp handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.

Regarding your second question, you do still have the option to block the port/service completely on the pan device.

thank you,

Stephen

You state that I do still have the option to block the port/service completely on the pan  device, question is how? I can't block it based in application so do I have to add a new service with the port 3389 and then use that to specify the block?

In order to block all packets (even before App-ID is done), you would put the desired ports into a service and add that to a deny rule. However, if you are trying to allow RDP on 3389, then this will not work. The incomplete sessions are showing you that an initial connection came up but stopped during or immediately after the TCP handshake. You can't block the TCP handshake and also allow an app on the same port.

Mike

So how do you fix the handshake issue with TCP droping on RDP session?

L1 Bithead

I'm having a similar issue. Some of our camera monitoring system traffic is showing as incomplete, the rest is showing as a threat from abnormal extra data and is being blocked. As soon as we block the port we lose our cameras, but if we leave them up we constantly get incompletes in the monitor and 43,000+ daily hits as a threat.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!