How to identify app data vs differen in traffic recieved on app data


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L4 Transporter

How to identify app data vs differen in traffic recieved on app data

Hi Guys,


Lets say I have application SAP that allows port 8443 but looks like APP-ID is not getting matched and we are getting insufficent data followed by deny rule , question is how can we look for difference between expected application data and difference we are seeing.


Just to approve application owners this is pattern we are looking for but we are getting following difference.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
L7 Applicator

if the application is a well known application but is not matching app-id, there are usuually 2 possibilities:


- the developer took some 'liberties' with the implementation and now the app is not behaving like it would normally do, causing app-ID to treat this as anomalous (and a threat as it may be an evasion technique) and drop the session

- the app was updated and app-id signature has not been updated to match new bahavior, this would need to go through TAC to have the app updated


in both cases you'll want to packetcapture and see what the traffic looks like

on the firewall you can capture 'drop' stage so you;ll also be able to see at which point the firewall decides the session is no longer ok to keep processing

Tom Piens -
Like my answer? check out my book!
Cyber Elite

Thanks Reaper for answering the question.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!