Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

log messages

Log Filter Examples

addr.src in 10.252.11.123 and !( action eq allow ) ( addr.dst in 52.96.111.2 ) and !( action eq allow )

Incomplete in Application Field

The three-way TCP handshake did not complete or it completed but there is no data after the handshake. This is caused by traffic that isn’t an application, or if the SYN was sent, but the SYN ACK was not received. (Far end application might not respond correctly)

Insufficent Data in Application Field

There isn’t enough information to correctly indentify the application. Palo firewalls will check their signatures and if nothing matches, this error will be the result.

Not-applicable

Data will be discarded because the service and/or port is not allowed or there is no rule allowing this service.

unknown-tcp

There is a three-way TCP handshake, but the the firewall cannot determine what application it is. A custom application is often the culprit.

CLI tests

test security-policy-match destination 1.1.1.1 application web-browsing protocol 6 source 8.8.8.8 destination-port 80
show session all filter source 10.221.33.33 destination 10..x.x destination-port 445
show counter global filter delta yes packet-filter yes | match 
show interface tunnel.7