11-24-2015 03:32 PM
This article gives the full definitions for incomplete status. Basically, there is either not a full tcp handshake or not enough data to identify the flow.
11-25-2015 12:56 AM
disabled rules are not active in the system, this can be seen through the following command:
> show running security-policy
If the disabled rule is at the bottom of the policy it could be that the incomplete session "hits" these for logging purposes
What happens is that the system accepts a syn packet and starts building up a session once the syn packet is allowed to pass throught
If then the session is disrupted, the process of properly building the session and matching an appropriate App-ID and security policy fails and the session is discarded. The system then will still create a log entry and will need to have a 'rule' but since the session was disrupted before a security policy was properly matched, it will not have a proper security policy to add to the log. it can either use a security policy that was matched for the initial handshake, or if it matched an implied rule, one of the last rules in the policy.
tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
