I hope you guys can help with classifying unknown traffic.
I have read many forums for this topic none of which answer my specific question. I understand that should create a custom app if your application bespoke and it is unlikely that an APP-ID would be created.
However, I am expereincing an issue with an application called "commvault" the firewall already recognises this app, but my rule does not work as the traffic is being identified as "unknown-tcp" I do not understand if the firewall already reconises this app why is this being recognised as unknown. Can you also share with me the correct procedure of getting the traffic classified as "commvault" application?
I already have PCAPS from the firewall, but do not know where this should be raised.
In this situation, if an app signature has been created but is not recognising the app correctly then your best bet is to raise a case with TAC, they are very helpful in assisting you so that the right data is gathered and getting the signature modified accordingly so that it is recognised.
You could try and create a custom application for this as well:
hope this helps,
yes, please share traffic logs and if possible, please show your security policy
it is possible the version of commvault you are running differs from the traffic pattern included in the AppID version of commvault.
(this can be due to a new updte to commvault or a deployment not seen before by our AppId team,...) if that is the case you'd need to open a support ticket to have the behavior of your commvault app verified and appid updated to include it's patern
This is what I am failing to understand on why it is hitting that deny rule. That deny rule is number 800 in the rule set.
The commvault rules are 600 in the rule set. In the screenshot, that I provided "commVault Media Agent to Ping" & "New Backup Networks" are basically any any rules just set to specfic IP's. They let any application over any service go through. I have checked the correct zones and IP's are in the rule.
When I do a a security policy match from the CLI, the rule matches rule called "NEW BACKUP NETWORKS-app" so I do not understand why unknown-tcp is being hit.
That's what @reaper was trying to help figure out.
As he stated it's possible there was an update to the APP-ID packge which changed how "commvault" is being idenfitied in your firewall, and while you've properly configured your security policy to use the application it's not matching for that reason.
So he was asking does it match L3 IP-IP (with applicable zones). Then when introducing the L7 application control is it matching or not.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!