10-03-2016 10:27 PM - edited 02-21-2020 05:55 AM
Anyone run into issues with FTD, in what appears to be random cases the application detection engine doesn't classify a flow with AVC application protocol / client information?
I have seen it on SYSLOG, NTP, NetBIOS-ssn (SMB [TCP 445]), and other applications. It is not consistent, meaning NTP will be classified correctly for quite a while and then randomly a session will not be. When it is not, there is no Application protocol / client / web application listed in the log entry for that connection.
This is a major issue as I am attempting to use AVC rules, and when the application detection doesn't work correctly the traffic hits the default action policy which is set to deny / block.
TAC suggested changing all the allow rules to log at the end of the connection. They suggested that would provide more accurate logging when the initial packets of an application are not classified at that point. That didn't have a impact and I currently running with a policy that includes temporary port / services rules.
Ralph
07-25-2019 03:08 AM
Hello,
I am facing the same exact issue with application detector and i am running version 6.2.3.13.
have you solved the problem or found a solution?
Regards,
George
07-25-2019 03:09 AM
Hello,
I am facing the same exact issue with application detector and i am running version 6.2.3.13.
have you solved the problem or found a solution?
Please anyone can assist?
Regards,
George
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide