While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column.
What best explains these occurrences?
While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column.
What best explains these occurrences?
The entries showing 'unknown-tcp' in the Application column are best explained by the fact that a handshake took place; however, there were not enough packets to identify the application. This indicates that while the initial TCP handshake was successfully completed, there wasn't sufficient data transmitted for the system to determine the exact application in use.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text=unknown%2Dtcp%3A,firewall%20does%20not%20have%20signatures.
D can also be correct
Regardless of how many packets you receive, some applications are always in an unknown TCP state, this is by design.
I think D is insufficient data
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text=unknown%2Dtcp%3A,firewall%20does%20not%20have%20signatures.
A TAKUM1y and mysteryzjoker provide correct explanation
unknown-tcp: Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures
Answer is A D is not correct, the key is there is not enough data, not packets, from Palo documentation: What is the unknown-tcp or unknown-udp that sometimes shows up in traffic logs? In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application.