Anyone run into issues with FTD, in what appears to be random cases the application detection engine doesn't classify a flow with AVC application protocol / client information?
I have seen it on SYSLOG, NTP, NetBIOS-ssn (SMB [TCP 445]), and other applications. It is not consistent, meaning NTP will be classified correctly for quite a while and then randomly a session will not be. When it is not, there is no Application protocol / client / web application listed in the log entry for that connection.
This is a major issue as I am attempting to use AVC rules, and when the application detection doesn't work correctly the traffic hits the default action policy which is set to deny / block.
TAC suggested changing all the allow rules to log at the end of the connection. They suggested that would provide more accurate logging when the initial packets of an application are not classified at that point. That didn't have a impact and I currently running with a policy that includes temporary port / services rules.
Ralph
Hello,
I am facing the same exact issue with application detector and i am running version 6.2.3.13.
have you solved the problem or found a solution?
Regards,
George
Hello,
I am facing the same exact issue with application detector and i am running version 6.2.3.13.
have you solved the problem or found a solution?
Please anyone can assist?
Regards,
George