Palo Alto Incomplete, Not-applicable, unknown, Insufficient data in the Application Field
Incomplete in the application field
Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic being seen is not really an application.
If a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.
Insufficient data in the application field
Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.
Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.
Unknown-udp consists of unknown udp traffic.
Unknown-p2p matches generic P2P heuristics.
Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
If there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you’ll see sessions with “not-applicable” in the application field.