Problem with incomplete application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem with incomplete application

L3 Networker

Hi all,

I have the same problem with incomplete application.

!Public zone! <====> PAN Firewall <====> INSIDE Firewall <-----> Server IP.

I have nated Server IP to Public ip, and configure rule like the below.

Name: (Ping) ; Src zone: (public); Src: (any); Dst zone: (any) ; Dst (any); Appliccation: (icmp, ping) ; Action: (ALLOW);

I monitor traffic on PAN Firewall, I saw the traffic : Application is INCOMPLETE and action is ALLOW corresponding to the above "Ping" rule, and on my INSIDE Firewall, I also saw the traffic with the same public IP address to my server.

I real don't know why is traffic pass into my INSIDE Firewall.

Please help me to deny all of incomplete traffic.

Thanks so much.

6 REPLIES 6

L7 Applicator

Did you permit ping on "any" service/port?  You should never use "any" for service/port on incoming rules.  You should only use "application-default" or a specified port.

L7 Applicator

Hello,

It's looking like a routing issue for me. Let me know if i understand it correctly.

NAT Policy:

Source-zone=Public Zone,

Destination-zone= Public zone

Destination IP address: Public IP address

NAT destination translation= Private address of the Server

Security Policy:

Source-zone=Public Zone,

Destination-zone= Inside Zone ( LAN)

Routing:

a) Default gateway on PAN FW pointing towards Public zone ISP router.

b) Server's Private IP address >>>pointing towards next hop to INSIDE FW


Thanks

Hello Jared,

I think any session based firewall will match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY".

Thanks

Thanks Hulk, I wonder how I block all of incomplete application.

Hi Jared,

I don't know where to configure application-default, please shared your idea in this case.

Thanks so much.

Please post a screenshot of the security policy that permits ping.

Hi all

for me it's look like a routing issue or something avoid the return of ping echo.

if you you want to deny incomplete flow, you need to let pass the first packet icmp in your case and wait for an response that cross again the firewall to be define as ping application however if the response is not seen then the flow will be categorize as incomplete.

in fact you cannot block incomplete flaw in your case unless you deny ping application or if you resolve your routing issue.

  • 4042 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!