We have a PA-3020 running 6.0.3. Basically we have iSCSI replication set up between two sites. When I pull up the traffic in the Monitor tab I see the picture below. Even though iSCSI traffic is defined in the Applications section I tried creating another app to identify it but still see the "unknown-tcp" traffic show up. Is there something I am missing or is it not possible to change what it pulls up in Monitor?
As J.liu said, you need to configure a custom application signature to identify traffic on port 3260. Secondly, need a security policy in place from specific zones to allow that traffic.
Hope this helps.
For iSCSI, I would be using an application override, essentially fast-pathing it which is what you would want to do with low-latency traffic.
The CNSE Study Guide page 34 gives the config steps.
As per my understanding, the default application iSCSI is using TCP 3260. Then, why you want to use a custom app for this..? Better, you should use the previously mentioned DOC to get the exact reason.
Honestly I don't know why it is not identifying the traffic as iSCSI. It might be something proprietary with the vendor that is preventing the Palo from recognizing it even though it is coming across on 3260. I just want to be able to see in the reports that it is iSCSI. I will most likely end up programming both solutions.
Thanks for the answers, guys. I'll give it a try today.
According to the screenshot you have attached here, it looks like the amount of data transferred between the Server and client is very low ( few KB). PAN firewall need at least 2000 Bytes of application data or minimum 4 packets to identify an application signature correctly. So, could you please check how many packets has been exchanged through those sessions.
Insufficient data in the application field
Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.
I think there is something proprietary going on. I created a custom app signature with tcp/3260, created an allow rule and the traffic stopped transmitting altogether but I wasn't getting any deny entries. I'm just guessing but maybe when it isn't let through as is the Palo possibly strips out whatever proprietary info the data has and makes it unreadable to the iSCSI equipment on the other side. I haven't tried the application override rule yet though.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!