Palo Alto Incomplete, Not-applicable, unknown, Insufficient data in the Application Field

Below are the entries you might see on the Palo and wonder what they mean:

  • Incomplete
  • Insufficient data
  • Not-applicable
  • unknown-tcp

 

 #INCOMPLETE

 “Incomplete” implies either “the three-way TCP handshake did not complete” or “the three-way TCP handshake **did** finish, but there was no data to identify the application after the handshake.”

It signifies that the traffic you’re seeing isn’t an app.

Example:

If a client sends an SYN to a server, and the Palo Alto Networks device creates a session for that SYN, but the server never responds with an SYN-ACK, the session is considered incomplete.

#INSUFFICIENT DATA

“Insufficient data” denotes a lack of information to identify the application.

Example:

If the three-way TCP handshake was finished with one data packet, but that one packet was insufficient to match any of the Palo Alto signatures, the user will see “insufficient data” in the traffic log’s application field.

#NOT-APPLICABLE:

The Palo Alto Firewall has received data that will be rejected because the port or service over which the traffic is coming in is not authorized.

Alternatively, there may be no policy that allows that port or service.

Example:

If the Palo Alto Firewall has only one rule that allows web-browsing but only on port 80, and traffic (web-browsing or any other application) is transmitted to the Palo Alto Firewall on any other port than port 80, the traffic is disregarded or deleted. As a result, “not-applicable” will appear in the application field.

#UNKNOWN-TCP

“Unknown-tcp” indicates that the firewall has captured the three-way TCP handshake but cannot identify any applications.

This might be due to the usage of a custom application with no signatures in the firewall.