An analyst is investigating why an App-ID for a custom application is showing as "unknown-tcp" in the Traffic logs. The application is running on port 8080. What is the most likely cause of this identification failure?
A.
The firewall does not have a signature for the proprietary application.
B.
The Security policy is set to "application-default."
C.
The traffic is being decrypted by an SSL Forward Proxy.
Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge:
When traffic is logged as unknown-tcp or unknown-udp, it indicates that the App-ID engine has inspected the traffic but could not find a matching signature in its database. For proprietary or internal applications, this is the expected behavior unless the analyst has created a Custom Application Signature.
To resolve this, the analyst must capture the packet flow and identify a unique data pattern (signature) within the payload that identifies the application. Once the custom App-ID is created and committed, the firewall will correctly categorize the traffic, allowing the analyst to apply granular security profiles and reporting. Identifying and remediating "unknown" traffic is a key monitoring objective, as it helps eliminate visibility gaps and prevents malicious traffic from "hiding" behind unidentified protocols.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit