Thanks for the clarification. What is the port number for which the traffic is getting marked as an Unknown-TCP ( I hope its not for 80 or 443 ). As mentioned earlier, we would see a traffic marked as "unknown-tcp", if the PANFW doesnt have the signature for that app. If its a different port number ( non-standard), create a custom app for the traffic on that port nunber, and use this custom app under an app override policy. When configuring the app override policy, specify the source zone and source IP as the users' IP, specify the destination zone and leave the destination address blank ( any address ), and configure the underlying protocol ( tcp/udp), the port number and the custom app created above. You can also create/ modify the existing security policy with source IP as the user's IP, and leave the destination IP to any, and application any, and the action set to allowed, to study the IP addresses and the ports that the client uses to establish a successful connection. You can then lock this rule down to the addresses and the ports based on the traffic log analysis. Hope that helps! BR, Karthik
... View more