Lets say I have application SAP that allows port 8443 but looks like APP-ID is not getting matched and we are getting insufficent data followed by deny rule , question is how can we look for difference between expected application data and difference we are seeing.
Just to approve application owners this is pattern we are looking for but we are getting following difference.
if the application is a well known application but is not matching app-id, there are usuually 2 possibilities:
- the developer took some 'liberties' with the implementation and now the app is not behaving like it would normally do, causing app-ID to treat this as anomalous (and a threat as it may be an evasion technique) and drop the session
- the app was updated and app-id signature has not been updated to match new bahavior, this would need to go through TAC to have the app updated
in both cases you'll want to packetcapture and see what the traffic looks like
on the firewall you can capture 'drop' stage so you;ll also be able to see at which point the firewall decides the session is no longer ok to keep processing
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!