How to identify app data vs differen in traffic recieved on app data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to identify app data vs differen in traffic recieved on app data

L4 Transporter

Hi Guys,

 

Lets say I have application SAP that allows port 8443 but looks like APP-ID is not getting matched and we are getting insufficent data followed by deny rule , question is how can we look for difference between expected application data and difference we are seeing.

 

Just to approve application owners this is pattern we are looking for but we are getting following difference.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
2 REPLIES 2

Cyber Elite
Cyber Elite

if the application is a well known application but is not matching app-id, there are usuually 2 possibilities:

 

- the developer took some 'liberties' with the implementation and now the app is not behaving like it would normally do, causing app-ID to treat this as anomalous (and a threat as it may be an evasion technique) and drop the session

- the app was updated and app-id signature has not been updated to match new bahavior, this would need to go through TAC to have the app updated

 

in both cases you'll want to packetcapture and see what the traffic looks like

on the firewall you can capture 'drop' stage so you;ll also be able to see at which point the firewall decides the session is no longer ok to keep processing

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks Reaper for answering the question.

MP

Help the community: Like helpful comments and mark solutions.
  • 3135 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!