Traffic with no data (???) is denied

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic with no data (???) is denied

L3 Networker

Hello,

I have a PA 2050 device that is configured to allow specified traffic (multiple rules) and one rule that deny all other traffic (at the bottom).

When looking at the "Deny all" rule, I can see a lot of packets that should be allowed by specific rules above that are denied with no data (see screenshot bellow). Is it normal ? And what does it mean that some packets have no bytes received and no bytes sent ?

Regards,

Laurent

3 REPLIES 3

L6 Presenter

Yes, that is normal behavior.  Your PA2050 will drop all packets that do not meet your explicitly allowed rules.  Those packets may be the 1st SYN packet of a TCP handshake where the byte count is recorded as zero.

An explanation can be found here:

https://live.paloaltonetworks.com/docs/DOC-1549

Thanks.

Hi,

Thanks for your answer, however if you look at the "application" collumn, you can see that this is not one of the three definition tht you provided me, but "unknown-tcp".

Furthermore, as I said in my first post above, there are explicit specific rules for this traffic.

Regards,

Laurent

Hi Laurent...My previous post was to answer the app=not-applicable where  the bytes=zero.  Unknown-tcp means the TCP traffic does not match any of our AppID signatures so the application is unknown. 

Tthe traffic must have matched the  TCP/UDP ports for your explicit rules but it does not match the  applications that you specifically defined in those rules.  However, the PA device does not have an app signature for the traffic and classified it as unknown-tcp.

Thanks.

  • 3207 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!