Application incomplete or insufficient-data when using NNTPS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Application incomplete or insufficient-data when using NNTPS

L1 Bithead

Hello,

 

I have been working with Cisco firewalls for the last 20 years, but I'm very new with Palo Alto and PANOS.

At the moment I have a PA-460 in my lab for learning purpose.

It's a basic setup with just a simple NAT/PAT rule for outgoing traffic to Internet and some basic access rules.

Most things are working great, but I'm having some issues with a newsreader application (SABnzbd) that I'm running on a Synology NAS.

The newsreader application cannot download any files and in the traffic monitor, I see either incomplete or insufficient-data.

This application has been working without any issues when using a Cisco Firepower FTD firewall, so I am trying to figure out what can be wrong.

The newsreader is using TCP port 563 (which is the default port for NNTP protocol over TLS/SSL). If I change the port to 443, everything is working and I can now download files.

Does anyone know why I'm not able to use port 563 and how I can fix this?

 

Thanks

/Jorgen 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @jorgenfrejso ,

 

You probably have your service in your security policy rules set to application-default.  With any protocol that runs over TLS (LDAPS, NNTP, etc.), the protocol is encapsulated within TLS.  Without decryption, the NGFW only sees TLS.  The default port for the App-ID "ssl" is 443, and that is the only port that TLS will be allowed to pass through the NGFW if the service is set to application-default.

 

You can do a quick test.  Change the service to any and see if it works.

 

If you enable logging on the interzone-default rule, you should see the traffic hit that rule under Monitor > Logs > Traffic.  Just like the other firewalls you have experience, if it hits the default drop then it didn't match any rules.

 

Note:  Monitor > Logs > Traffic only shows sessions that have ended if you have Log at Session End configured for your rules, which is the best practice.  Active sessions are found under Monitor > Session Browser.  If you do not have any logging configured for rules, they will not show up under the Monitor tab.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

6 REPLIES 6

L0 Member

Hi @jorgenfrejso , hope all is well! For next steps I would recommend setting up packet filters for the traffic in question and then collecting a packet capture and the global counters from the cli. You can use the following commands on the cli:

debug dataplane packet-diag set filter match source <synology ip> destination-port 563
debug dataplane packet-diag set filter match destination <synology ip> source-port 563
debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture stage receive file rxtx.pcap
debug dataplane packet-diag set capture stage transmit file rxtx.pcap
debug dataplane packet-diag set capture stage drop file dp.pcap
debug dataplane packet-diag set capture stage firewall file fw.pcap
debug dataplane packet-diag set capture on

show counter global filter packet-filter yes

****Start Test Traffic***

debug dataplane packet-diag show filter-marked-session

show session id <id from above output>

show counter global filter packet-filter yes delta yes <------ Run this command once every 5-10 seconds for 3 intervals (or until the test is complete)

debug dataplane packet-diag set capture off

**copy the output from the global counters command to a notepad file**
download the packet captures from the gui by navigating to Monitor > Packet Capture
screenshots of your security policy rulebase would be helpful as well

L1 Bithead

Hi @MIST3R_VIRTS3C Thank you for the suggestions.

I will try the packet filters as soon as I get access to my lab and I'll let you know the results.

 

/Jorgen

Cyber Elite
Cyber Elite

Hi @jorgenfrejso ,

 

You probably have your service in your security policy rules set to application-default.  With any protocol that runs over TLS (LDAPS, NNTP, etc.), the protocol is encapsulated within TLS.  Without decryption, the NGFW only sees TLS.  The default port for the App-ID "ssl" is 443, and that is the only port that TLS will be allowed to pass through the NGFW if the service is set to application-default.

 

You can do a quick test.  Change the service to any and see if it works.

 

If you enable logging on the interzone-default rule, you should see the traffic hit that rule under Monitor > Logs > Traffic.  Just like the other firewalls you have experience, if it hits the default drop then it didn't match any rules.

 

Note:  Monitor > Logs > Traffic only shows sessions that have ended if you have Log at Session End configured for your rules, which is the best practice.  Active sessions are found under Monitor > Session Browser.  If you do not have any logging configured for rules, they will not show up under the Monitor tab.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks Tom,

 

You are probalby right about the security policy rules is set to application-default. I noticed a similair issue with IMAP over SSL. I will test to change it to any and let you know the result.

 

/Jorgen

 

I can confirm that NNTPS and IMAP over SSL are working when change the service from application-default to any. 

I also noticed the option to specify custom applications and ports but is there a way to add ports to the application-default? Or can I make a clone of it and add the ports I need?

 

Thanks

/Jorgen

Cyber Elite
Cyber Elite

Hi @jorgenfrejso ,

 

You are correct.  You cannot have a rule with application-default and specific ports.  You are also correct that it is a good idea to clone the rule and have 2 rules - 1 with application default and 1 with specific ports.  In this case since "ssl" only has the default port of tcp/443, I would change application-default to those 3 ports - tcp/443, tcp/563, and tcp/993.

 

If you left the rule with "ssl" and any for the services, the security rule would allow a few packets on all ports until the application is identified.  This method is the least secure.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 3705 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!