insufficient-data/incomplete application in logs but still permitted

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

insufficient-data/incomplete application in logs but still permitted

Not applicable

I am currently only allowing ssl and web-browsing applications to a specific server. If I do a "telnet x.x.x.x 3389" it connects even though the rule should not allow this. I would think that the application filter is unable to block this due to the application coming up as insufficient-data or incomplete.

How do I block this??

1 accepted solution

Accepted Solutions

Hi Hallk,

are you using "any" in the Service field for web-browsing and ssl applications?

If so, it can be beneficial to specify specific or default ports for the applications being allowed. If the service is defined as “any” , all sessions must be allowed to start so the system can see if the correct application is running on them. If the service is anything but “any” , then many unwanted connections can be dropped immediately.If the traffic and resulting application does not match any rule, the session will be dropped.

View solution in original post

12 REPLIES 12

L4 Transporter

Hi There,

Probably once the telnet is sucessful no further commands can be initiated as the application telnet will be picked up - it is not always immediate, since you need a little info to identify the application.  It would be worth checking this doc out:

https://live.paloaltonetworks.com/docs/DOC-1628

Thanks

James

Hi James

Thanks for the reply, however we were able to run a couple of commands and get some info. The logs showed the app as either incomplete or insufficient-data during the running of these commands.

Hi Hallk,

are you using "any" in the Service field for web-browsing and ssl applications?

If so, it can be beneficial to specify specific or default ports for the applications being allowed. If the service is defined as “any” , all sessions must be allowed to start so the system can see if the correct application is running on them. If the service is anything but “any” , then many unwanted connections can be dropped immediately.If the traffic and resulting application does not match any rule, the session will be dropped.

Then I would probably need to see your complete rulebase to find the answer - can you see which rule the traffic is hitting?  Is it the one you expected?

Thanks

James

Also a concern is that you are able to run port scan and the report will tell you what ports the box is listening on.

This depends on your configuration.  Maybe you need to be in contact with your local SE to spend some time with you on these tests?

Thanks

James

It is hitting a rule allowing web-browsing and ssl aplications.

TCP 3389 is definitely not allowed on any rules.

Hi

So you are saying that I can specify applications as well as port numbers in a single rule?? I had an issue, admittedly on a differnet os version, that it would not see the service ports or the applications when using them in the same rule - Cant remember which one. I ended up creating 2 differnet rules.

Hi There,

I am not sure where you saw the problem - but you can indeed use the application and service column for "extra" security in the same rule.  This will mean the application must ONLY run over the ports you have defined in the service column, which maybe custom or the application-default setting.

Thanks

James

Thanks guys. Will do this and get the audit team to test again.

Thanks for the help. Tested and works perfectly.

Good news Smiley Happy

You may want to look into zone protection, if your trying to protect against reconaissance too.

Thanks

James

  • 1 accepted solution
  • 8685 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!