05-17-2013 01:58 PM
I know that these two applications stand for unrecognized traffic. It worries me though that for some of the other applications to work, I have to add unknown-tcp/udp to the firewall rule. Example for this would be Bittorrent traffic. To allow Bittorrent, I also have to allow web-browsing and unknown-tcp and unknown-udp.
Can someone please elaborate on this? If I only want to allow Bittorrent, but also add web-browsing and unknown-tcp, I will open up the firewall for unwanted traffic. I really have a hard time understand this concept.
05-19-2013 06:26 PM
Wow nice thread there I love that kind of candid, to the point feedback
05-20-2013 03:03 AM
I was really upset when I wrote that thread and I might have become too rude throughout the discussion, but I've had it with Juniper back then. Their NSM caused so much trouble it was unbelievable. Unfortunately, the same still holds true today. I just had a major crash on NSM two weeks ago from a failed DMI schema update. I love the SRX for it's concept and the beauty of Junos, but NSM is destroying that platform for me and a lot of my customers.
Anyways. This probably doesn't belong here.
05-20-2013 06:12 AM
Hey man, no need to apologize, sometimes my passion bubbles a little too close to the surface too
05-20-2013 06:39 AM
Back on topic... this is what my PA-500 just threw at me for the 'share-p2p' App-ID on PANOS 4.1.12:
vsys1: Rule 'Allow all with threat' application dependency warning:
Application 'share-p2p' requires 'unknown-tcp' be allowed
Configuration committed successfully
So yes, the original poster (cryptochrome) was correct in saying that for certain App-IDs, 'unknown-tcp' needs to be turned on. And I completely agree with him that "that's messed up" - I have to turn on 'unknown-tcp' for certain App-IDs to work? Say what?
05-20-2013 07:10 AM
Yep. That's what worries me too. In PanOS 5.0 these dependencies are automatically resolved (so you actually never see what the firewall is really opening up). says that it will never be unknown-tcp that would be resolved, but why did 4.x need unknown-tcp and 5.0 does not? Where is this documented? I find this really scary.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!