Unnown-TCP application "commvault"
cancel
Showing results for 
Search instead for 
Did you mean: 

Unnown-TCP application "commvault"

L2 Linker

Hi Guys, 

 

I hope you guys can help with classifying unknown traffic. 

 

I have read many forums for this topic none of which answer my specific question. I understand that should create a custom app if your application bespoke and it is unlikely that an APP-ID would be created. 

 

However, I am expereincing an issue with an application called "commvault" the firewall already recognises this app, but my rule does not work as the traffic is being identified as "unknown-tcp" I do not understand if the firewall already reconises this app why is this being recognised as unknown. Can you also share with me the correct procedure of getting the traffic classified as "commvault" application? 

 

I already have PCAPS from the firewall, but do not know where this should be raised. 

 

Many Thanks, 

7 REPLIES 7

Cyber Elite
Cyber Elite

Can you share the traffic log of the "commvault" traffic and the "unkown-tcp" traffic?

L4 Transporter

Hi,

 

In this situation, if an app signature has been created but is not recognising the app correctly then your best bet is to raise a case with TAC, they are very helpful in assisting you so that the right data is gathered and getting the signature modified accordingly so that it is recognised. 

 

You could try and create a custom application for this as well:

https://live.paloaltonetworks.com/t5/Tech-Notes/Custom-Application-Signatures/ta-p/58625

 

hope this helps,

Ben

yes, please share traffic logs and if possible, please show your security policy

 

it is possible the version of commvault you are running differs from the traffic pattern included in the AppID version of commvault.

(this can be due to a new updte to commvault or a deployment not seen before by our AppId team,...) if that is the case you'd need to open a support ticket to have the behavior of your commvault app verified and appid updated to include it's patern

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

unknown-tcp_commvault.PNGrules.PNG

 

Please see traffic log and the rules that have been created for this.

Please let me know if you guys believe this is correct and if the support route still needs to be followed.

you're hitting a deny rule

 

if you create a security policy that matches the source and destination IP, but leaves the application as any (temorarily), do you still see unknown-tcp ?

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

This is what I am failing to understand on why it is hitting that deny rule. That deny rule is number 800 in the rule set.

 

The commvault rules are 600 in the rule set. In the screenshot, that I provided "commVault Media Agent to Ping" & "New Backup Networks" are basically any any rules just set to specfic IP's. They let any application over any service go through. I have checked the correct zones and IP's are in the rule.

 

When I do a a security policy match from the CLI, the rule matches rule called "NEW BACKUP NETWORKS-app" so I do not understand why unknown-tcp is being hit.

 

 

That's what @reaper was trying to help figure out.

 

As he stated it's possible there was an update to the APP-ID packge which changed how "commvault" is being idenfitied in your firewall, and while you've properly configured your security policy to use the application it's not matching for that reason.

 

So he was asking does it match L3 IP-IP (with applicable zones).  Then when introducing the L7 application control is it matching or not.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!