Sometimes when reviewing logs you’ll find the information in the application field that doesn’t intuitively make sense. Here are more detailed descriptions of the various types of failures.
- Incomplete in Application Field
- The three-way TCP handshake did not complete or it completed but there is no data after the handshake. This is caused by traffic that isn’t an application, or if the SYN was sent, but the SYN ACK was not received. (Far end application might not respond correctly)
- Insufficent Data in Application Field
- There isn’t enough information to correctly indentify the application. Palo firewalls will check their signatures and if nothing matches, this error will be the result.
- Data will be discarded because the service and/or port is not allowed or there is no rule allowing this service.
- There is a three-way TCP handshake, but the the firewall cannot determine what application it is. A custom application is often the culprit.