Uknown-tcp in application based policy logs !!

cancel
Showing results for 
Search instead for 
Did you mean: 

Uknown-tcp in application based policy logs !!

L3 Networker

Hi,

I'am using PAN-OS 3.0.9, and i have configured some policies in witch i allow some applications defined by application override. I noticed that in the logs associated to this policies, there are lines that are identified as "unknown-tcp" with action :"allow" and type "end", is this normal?

Normaly the firewall should not allow this connexions because they are not part of the application override, and should only allow this applications.

Any explanations please.

Regard's.

5 REPLIES 5

L4 Transporter

If there is traffic that is coming through the paloalto device that was not caught by the application override, that indicates that your application override rule does not include the criteria for for this traffic...i.e port, source/destination ip, etc.

Also if you are seeing sessions in the traffic log for unknowtcp, that same log tells you the specific rule that is allowing this traffic.

Also make sure that you do not have an allow all rule some where in your rule set that covers criteria that your application override rule does not.

thank you,

Stephen Whyte

In my case, the logs mention the same rule that allows the applications defined by application override. Normaly, the rule must allow only the ports/ip mentioned in the application override rule. And there is not other rule that allow the traffic marked as unknown-tcp.

Any other idea please?

Regards

What ports are being allowed in the service column of the security rule? Can you provide a little more detail on the override rule and security rule configuration as well as the details of the unknown traffic (particularly the destination port).

Mike

In the service column i allow "any" service, in the admin guide it is recommended to not use "use application default" for user defined applications. The destination ports marked as Unknown-tcp are various (internal developement applications) and different from those defined in the application default ports definition and those defined in the application override rule.

Regards.

The user guide is wrong. We can get that cleaned up. The application you are overriding to (custom or otherwise) should have a value specified as the default port. This is what "app-default" will use. Alternatively, you should put the specific port you want in the Service column. Otherwise, the system will allow traffic on other ports until it determines if it matches the specified app. For the override to work properly, the port in the override rule should match the port in the default port field of the app or a port explicitly configured in the service column.

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!