Problem with incomplete application

Reply
Highlighted
L3 Networker

Problem with incomplete application

Hi all,

I have the same problem with incomplete application.

!Public zone! <====> PAN Firewall <====> INSIDE Firewall <-----> Server IP.

I have nated Server IP to Public ip, and configure rule like the below.

Name: (Ping) ; Src zone: (public); Src: (any); Dst zone: (any) ; Dst (any); Appliccation: (icmp, ping) ; Action: (ALLOW);

I monitor traffic on PAN Firewall, I saw the traffic : Application is INCOMPLETE and action is ALLOW corresponding to the above "Ping" rule, and on my INSIDE Firewall, I also saw the traffic with the same public IP address to my server.

I real don't know why is traffic pass into my INSIDE Firewall.

Please help me to deny all of incomplete traffic.

Thanks so much.

Highlighted
L7 Applicator

Did you permit ping on "any" service/port?  You should never use "any" for service/port on incoming rules.  You should only use "application-default" or a specified port.

Highlighted
L7 Applicator

Hello,

It's looking like a routing issue for me. Let me know if i understand it correctly.

NAT Policy:

Source-zone=Public Zone,

Destination-zone= Public zone

Destination IP address: Public IP address

NAT destination translation= Private address of the Server

Security Policy:

Source-zone=Public Zone,

Destination-zone= Inside Zone ( LAN)

Routing:

a) Default gateway on PAN FW pointing towards Public zone ISP router.

b) Server's Private IP address >>>pointing towards next hop to INSIDE FW


Thanks

Highlighted
L7 Applicator

Hello Jared,

I think any session based firewall will match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY".

Thanks

Highlighted
L3 Networker

Thanks Hulk, I wonder how I block all of incomplete application.

Hi Jared,

I don't know where to configure application-default, please shared your idea in this case.

Thanks so much.

Highlighted
L7 Applicator

Please post a screenshot of the security policy that permits ping.

Highlighted
L4 Transporter

Hi all

for me it's look like a routing issue or something avoid the return of ping echo.

if you you want to deny incomplete flow, you need to let pass the first packet icmp in your case and wait for an response that cross again the firewall to be define as ping application however if the response is not seen then the flow will be categorize as incomplete.

in fact you cannot block incomplete flaw in your case unless you deny ping application or if you resolve your routing issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!