I have a PA 2050 device that is configured to allow specified traffic (multiple rules) and one rule that deny all other traffic (at the bottom).
When looking at the "Deny all" rule, I can see a lot of packets that should be allowed by specific rules above that are denied with no data (see screenshot bellow). Is it normal ? And what does it mean that some packets have no bytes received and no bytes sent ?
Yes, that is normal behavior. Your PA2050 will drop all packets that do not meet your explicitly allowed rules. Those packets may be the 1st SYN packet of a TCP handshake where the byte count is recorded as zero.
An explanation can be found here:
Hi Laurent...My previous post was to answer the app=not-applicable where the bytes=zero. Unknown-tcp means the TCP traffic does not match any of our AppID signatures so the application is unknown.
Tthe traffic must have matched the TCP/UDP ports for your explicit rules but it does not match the applications that you specifically defined in those rules. However, the PA device does not have an app signature for the traffic and classified it as unknown-tcp.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!