04-14-2025 07:30 PM
I am running into an issue where an internal application is not being identified and on the logs appear as "insufficient data". What can I do to on the firewall to allow the application to be identified?
04-15-2025 02:56 AM
Hi @flipjg33 ,
There are plenty of discussions on the topic.
Is it a known application ?
You could try grabbing PCAP and create a custom application.
KB articles on insufficient data:
Not-Applicable, Incomplete, Insufficient Data in the Application Field
Packet Capture Behavior for Unknown-TCP or Insufficient Data in Traffic Logs
Kind regards,
-Kim.
04-15-2025 06:47 AM
Check firewall rules, enable logging, and define custom app signatures.
04-15-2025 11:48 AM
Hello,
In my experience its something causing the tcp 3-way handshake to fail. The firewall needs a few packets to determine the application so a failure of the tcp handshake is usually the cause. Check routing and ensure you have security policies to allow the traffic. The logs should tell you if/where the traffic is allowed/blocked.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
