iperf is always matched as unknown-udp/tcp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

iperf is always matched as unknown-udp/tcp

L2 Linker

Is there any reason why iperf traffic in either TCP or UDP is recognised as unknown-udp/tcp by the PAFW?

 

there is an app-id called 'iperf' but it never matches.

16 REPLIES 16

L4 Transporter

I just tried it using the iperf3 64 bit windows binaries from https://iperf.fr/iperf-download.php and it matches on 8.0.1

Capture.JPG

 

 can you offer more specifics on what you're using?

 

 

--
CCNA Security, PCNSE7

jperf  2.0.2

PAN-OS 7.1.7

 

testing with iperf now, however it shouldnt be any different as jperf is just a Java frontend.

Can you please post the detailed traffic logs.

same result for me using jperf2.0.2 from the Google Code archive. your app/threat content is current? you are using the default port of 5001?

 

Capture.JPG

 

 

 

 

--
CCNA Security, PCNSE7

Untitled.png

Some users did report weird stuff with app-id before so wondering if you can create a separate policy to allow iperf only as an application and test again.

I thought the same as well, and ran that test with rule #1 being an iperf app-id rule

Getting interesting isn't it :0 Reinstall app-id database possible in your environment? I guess this is the only one app at the moment that is not identified correctly?

yea i can reinstall, its also the 2nd firewall in a completely different environment that ive seen this on.

 

yes, only iperf for now

Now your issue is my issue:0

 

iperf.PNG

 

iperf3.PNG

just checking one more thing, however looks like apps and threats version 689-3957 has the fix, perviosly i was using the version released on the 30/3.

 

I did an upgrade in there somewhere too, so just waiting to test downgrade...

 

 

hmm... better behaviour, but still weird.

 

default port 5001 works fine, however, 5201 and non-default ports get mapped to unknown-tcp

did an upgrade to 8.0 for S&G and still no luck.

 

it seems that if i enable log on start i *might* get a match on iperf on port 5001, but then after disabling it works for a little while then stops.

This doesnt work for other ports.

Ok, I have more interesting information that I would like to see if others can replicate.

 

when performing iperf test using iperf 3.1.3 from iperf.fr, every test that is greater than 9 and less than 100 sec is identified correctly. Anything elese is unknown.

 

iperf.exe -c {host} -t 9 --> NOT working

iperf.exe -c {host} -t 10 --> working

iperf.exe -c {host} -t 99 --> working

iperf.exe -c {host} -t 100 --> NOT working

 

its as if the encoder is expecting the -t switch to be 2 digits.

 

jperf still doesnt work on 5201....

  • 8143 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!