03-28-2023 03:40 PM
Its getting a lot of hits, I setup Application filter for new app IDs and added them to their own Security Policy rule. Does this look correctly? Im confused as to why its getting so many hits.
03-30-2023 08:49 AM
All outgoing connections that don't get past TCP 3way handshake will match your New Apps rule.
Find application that you permit out anyway and add rule above it to collect all incompletes.
Example below with traceroute.
Source - inside
Destination - outside
Application - traceroute
Service - any
Action - allow
This will collect all incomlete sessions and your chosen app and keep New Apps rule clean.
03-30-2023 08:31 AM
Any Ideas as to why it would have so many hits on this rule? All the traffic hitting this rule is unable to identify the application.
03-30-2023 08:40 AM
Gonna go out on a limb and say that this is the first app-id based rule that you have in your rulebase? If that's the case, that'll match a whole lot of traffic as the firewall needs to allow enough traffic to identify the application. As soon as the application is identified, the firewall will reanlyze the rulebase and pass the traffic to the corresponding entry.
As long as this is the first app-id based rule that is in your rulebase, or is the first for at least a subset of your users, this is expected behavior.
03-30-2023 08:49 AM
All outgoing connections that don't get past TCP 3way handshake will match your New Apps rule.
Find application that you permit out anyway and add rule above it to collect all incompletes.
Example below with traceroute.
Source - inside
Destination - outside
Application - traceroute
Service - any
Action - allow
This will collect all incomlete sessions and your chosen app and keep New Apps rule clean.
03-30-2023 08:55 AM
So this rule should be near the bottom of my policies, below my identified apps? I have my applications identified in my policies.
03-30-2023 08:57 AM
New Apps rule should be before any of other outgoing rules if you want to have correct reporting.
If you want to keep New Apps rule log clean you need to add incomplete collector rule above it according to my example from previous post.
03-30-2023 09:07 AM
Thank you, Do I need new app ID rule for Inside to inside?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
