This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Application is Incomplete

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application is Incomplete

rbrogdon
Not applicable

‎07-02-2010 01:41 PM

In the monitor log, what does it mean when it shows Incomplete under the Application?

I am blocking incoming RDP and everything works fine (Action = Deny) as long as it sees it as MS-RDP or T.120 but I am seeing some traffic shown as Action = Allow on port 3389 when Application = Incomplete.

How would I block take traffic?

1 person had this problem.
Labels:
5 REPLIES 5

swhyte
L4 Transporter

‎07-02-2010 02:07 PM

Hello,

incomplete means that either the three way tcp handshake did not complete or the three way tcp handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.

Regarding your second question, you do still have the option to block the port/service completely on the pan device.

thank you,

Stephen

rbrogdon
Not applicable
In response to swhyte

‎07-06-2010 09:23 AM

You state that I do still have the option to block the port/service completely on the pan  device, question is how? I can't block it based in application so do I have to add a new service with the port 3389 and then use that to specify the block?

0 Likes Likes

mjacobsen
L4 Transporter
In response to rbrogdon

‎07-06-2010 01:18 PM

In order to block all packets (even before App-ID is done), you would put the desired ports into a service and add that to a deny rule. However, if you are trying to allow RDP on 3389, then this will not work. The incomplete sessions are showing you that an initial connection came up but stopped during or immediately after the TCP handshake. You can't block the TCP handshake and also allow an app on the same port.

Mike

0 Likes Likes

psimilien_1
Not applicable
In response to swhyte

‎08-30-2011 08:56 AM

So how do you fix the handshake issue with TCP droping on RDP session?

Colp
L1 Bithead

‎10-05-2011 08:42 AM

I'm having a similar issue. Some of our camera monitoring system traffic is showing as incomplete, the rest is showing as a threat from abnormal extra data and is being blocked. As soon as we block the port we lose our cameras, but if we leave them up we constantly get incompletes in the monitor and 43,000+ daily hits as a threat.

0 Likes Likes
  • 7201 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks