This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Undetected APP dependency?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Undetected APP dependency?

Go to solution
B.Porcelli
L2 Linker

‎06-06-2025 11:43 AM

Hi. So we ran into an issue and we're not sure if there's a missing app dependency in the Palo Alto db or if we're missing something.

 

What happened was, we migrated one Policy from port to APP-based. On the Apps seen it only had one detected app (let's call it app1) with no new apps seen for a long time. This rule is being hit regularly by traffic, but when we migrate to APP using Match usage option, we found denied traffic from another app (let's call it app2) that was never seen and that seems to be needed. When we added to the rules, the program worked. But even after that, we still can't see that app2 present in the traffic.

So we allowed log at the session start and what we can see is that the session starts with both apps detected at the beginning of the session and then it ends (quite some time later) only with the app1. 

 

So what we want to know is if there's any chance that Palo Alto is tagging the traffic with both apps at the begging of the session, and then mid session the traffic tag/indentification it's changed to app1, an ends up being cataloged as that. It's like the app2 traffic is so short it never sees it in the session and the app1 overrides it somehow. Shouldn't this be reported as an undetected APP dependency?

 

We would appreciate some insight, although I realise I have made a mess trying to explain it. Sorry and thanks!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎06-06-2025 10:08 PM

@B.Porcelli,

Not sure why you're not stating the actual app-ids causing you issues, but yes this is something that can happen. Sometimes its simply that the firewall does not follow the "implicitly uses" aspect of the signature and other times it just improperly identifies the application early on in the session and then transitions to the proper signature as it processes more traffic. As an example, you'll see this with ms-rdp and cotp/t.120 pretty often.

 

I've never really gotten a satisfactory answer as to why this happens honestly. It's a simple enough thing to address from a policy aspect and once something is functional it's often difficult to get TAC to answer the why behind something and you're stuck looking for the answer yourself. 

Since you aren't actually naming the app-ids that you're seeing and running into an issue with, I'm not sure if you're noticing an "implicitly uses" issue as noted above or something else. Since it's unlikely that you're talking about custom signatures (and even then it's just an application name) it could be helpful if you included the signatures that you're running into an issue with. 

View solution in original post

(1)
2 REPLIES 2

Go to solution
BPry
Cyber Elite
Cyber Elite

‎06-06-2025 10:08 PM

@B.Porcelli,

Not sure why you're not stating the actual app-ids causing you issues, but yes this is something that can happen. Sometimes its simply that the firewall does not follow the "implicitly uses" aspect of the signature and other times it just improperly identifies the application early on in the session and then transitions to the proper signature as it processes more traffic. As an example, you'll see this with ms-rdp and cotp/t.120 pretty often.

 

I've never really gotten a satisfactory answer as to why this happens honestly. It's a simple enough thing to address from a policy aspect and once something is functional it's often difficult to get TAC to answer the why behind something and you're stuck looking for the answer yourself. 

Since you aren't actually naming the app-ids that you're seeing and running into an issue with, I'm not sure if you're noticing an "implicitly uses" issue as noted above or something else. Since it's unlikely that you're talking about custom signatures (and even then it's just an application name) it could be helpful if you included the signatures that you're running into an issue with. 

(1)

Go to solution
B.Porcelli
L2 Linker
In response to BPry

‎06-09-2025 06:10 AM

Thanks for your quick response, BPry! I’m not stating the apps for security reasons (I know, probably overkill). But now that you mention it, I’ve already seen the ms-rdp cotp/t.120 issue and assumed this was something like that.

 

I don’t think this case is related to an issue with the “implicitly uses” function, as the apps are not listed here and are very specific (not custom, though). 

I will reconsider opening a TAC case, as you mentioned I might not get any response at all.  
Thanks again for the help!

0 Likes Likes
  • 1 accepted solution
  • 395 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks