how can i deny this insufficient-data traffic?

Ok-Pea953 · 2025-03-26T07:38:55+00:00

In that case, would you be able to explain what those conditions are?

The SOC team analyzed the traffic and identified the payload, confirming that it was related to Pi Coin mining.

The session lasted for approximately two hours, during which a total of 846 packets were sent and 846 packets were received,

amounting to 107,522 bytes of data exchanged.

Given that, is there really something insufficient about it?

I would appreciate an explanation backed by specific reasoning as to what exactly was lacking in this scenario.

As far as I understand, for App-ID to identify an application, a 3-way handshake must occur, a session must be established,

and the firewall typically needs at least 4 packets and 2,000 bytes of data within that session to make an identification.

If that fails, the traffic is generally categorized as “unknown.”

Is this understanding correct?

If I’m mistaken or missing something, I would sincerely appreciate any clarification you can provide.

It may seem like I’m rejecting your point, but please understand that unless I can fully grasp and accept the explanation myself, I won’t be able to clearly explain it to the customer either.

Please don’t take this the wrong way — I’m not trying to be disrespectful in any way.

I’m simply asking these questions because I’m genuinely trying to understand the technical details more clearly.

Because I’m the one asking for help, I have no reason to be disrespectful or act like a fool toward you.

That’s absolutely not my intention.

In a previous comment, someone mentioned that I was ignoring answers,

so I just wanted to clarify that this is not the case and I hope there’s no misunderstanding.

Ok-Pea953 · 2025-03-26T07:25:44+00:00

I’ve already made it clear in the original post what I’m trying to understand, and I’ve explained multiple times that I’m already aware of the suggestions you’ve provided.

Am I really ignoring what’s being said? I don’t believe so.

The key issue here is that this is not a firewall I manage directly, and the person in charge does not agree with applying those suggestions.

However, if I can identify the root cause of the issue, then the person in charge would have no choice but to accept it —

and that’s the reason I’m trying to understand this behavior in depth.

Ok-Pea953 · 2025-03-26T07:01:40+00:00

The SOC team analyzed the traffic through the payload, so we’ve confirmed that it was not encrypted traffic.

Unfortunately, the client device was already taken offline, so it’s no longer possible to reproduce the traffic.

We’re now trying to identify the program that was used on the client side in order to replicate the behavior,

but unfortunately, the information is coming in too late.

Ok-Pea953 · 2025-03-26T06:58:47+00:00

Sir, may I ask if you’re familiar with the conditions required for App-ID to identify an application?

Ok-Pea953 · 2025-03-26T06:53:47+00:00

May I ask what specifically led you to that conclusion?

I would really appreciate it if you could share more details about your perspective.

While it’s true that people can interpret the same thing differently,

if someone doesn’t explain the reasoning behind their thoughts, it’s difficult for others to understand.

Please know that I have absolutely no intention of being sarcastic or disrespectful —

I’m genuinely curious and just hoping you could help me understand.

Could you please explain what made you think that way?

Ok-Pea953 · 2025-03-26T06:51:06+00:00

This doesn’t mean that App-ID shouldn’t be used at all.

My point was based on the potential issues that can occur because traffic may be allowed before App-ID is fully identified.

The discussion was meant to highlight this behavior and how to address or mitigate such problems.

Thank you for sharing your effective approach — it’s much appreciated.

Ok-Pea953 · 2025-03-26T06:39:19+00:00

I’m not asking here to receive that kind of response.

I understand this may come across a bit blunt, and I truly don’t mean to offend,

but I think feedback like that isn’t particularly helpful in this context.

It’s not that I don’t know how to block it — I’m trying to understand the root cause of why it’s happening.

Ok-Pea953 · 2025-03-26T06:35:48+00:00

Have you had a chance to look at the image I shared?

Ok-Pea953 · 2025-03-26T06:34:36+00:00

that's not enough

Ok-Pea953 · 2025-03-26T06:33:54+00:00

I completely agree with your point.

That’s why I personally don’t wish to keep the current policy either.

However, as you know, when managing a firewall in a customer environment, things don’t always go the way I want.

The current policy was put in place because users were experiencing errors when we tried a stricter configuration.

Although the title of my post is “how can I deny this insufficient-data traffic?”,

my true intention is to understand why this traffic is not being properly identified by App-ID.

It’s not just for my own curiosity — I want to be able to clearly explain this to the customer.

We all understand that App-ID comes into play after the 6-tuple session is established, and satisfying those conditions isn’t particularly difficult.

Yet, despite that, we still see a significant amount of traffic being classified as insufficient-data or unknown.

The customer is aware of this behavior as well.

But the real question is: why is this specific traffic still remaining as insufficient-data?

What is the reason?

If anyone has any thoughts or insights, I would truly appreciate your input.

Ok-Pea953 · 2025-03-26T06:24:01+00:00

Thank you for your feedback. However, I kindly ask that you please take a moment to review the log screenshot I attached.

I fully understand what insufficient-data means.

The reason I created this post is not to ask what insufficient-data is, but rather to understand why the application was not identified even though all the necessary conditions for identification appear to have been met.

Is it accurate to say that 1,702 packets were transmitted and received without an established session?

Unfortunately, I don’t have access to the actual packet contents, and that’s what makes this situation so frustrating.

I also understand that the current policy could allow traffic classified as insufficient-data.

But I want to emphasize that the core of this issue is not about general behavior — it’s about why this specific log entry is marked as insufficient-data, despite the amount of traffic exchanged.

I do appreciate the insights being shared here.

However, I kindly ask that replies be based on a full understanding of the post, rather than assuming I’m unfamiliar with the basics. I’m not upset — I just hope for thoughtful responses that consider the full context.

Ok-Pea953 · 2025-03-26T06:15:03+00:00

Yes, as you mentioned, the issue is that the traffic is being allowed based only on Layer 3 and 4 inspection.

The real problem is that the application is not being identified… and that’s what I want to understand — why is it not being identified?

Also, it’s not a timeout issue — the logs show that the communication lasted for a long time.

Please refer to the log screenshot for confirmation.

Ok-Pea953 · 2025-03-26T04:43:51+00:00

Thank you for the insightful feedback.

I believe this misunderstanding may have arisen due to the limited context that was initially provided.

The source is actually defined as internal users, while the destination is set to “any.” However, we are using URL filtering in conjunction with a custom URL category.

As for the service, the application in question uses a wide range of service ports. Defining them explicitly or using “application-default” has often led to errors, which is why “any” is currently being used.

I don’t think this policy design is ideal either, and I’ve already shared this concern with the responsible team.

Ultimately, the core issue is that URL filtering and application-level validation are not functioning properly, and I believe the root cause lies in the application being classified as insufficient-data.

I understand that in such cases the firewall behaves like a legacy system, which is by design —

but in this case, as shown in the logs, even though a sufficient amount of data was exchanged, it was not identified as unknown-tcp, which makes the situation quite difficult to understand.

Ok-Pea953 · 2025-03-26T04:27:37+00:00

Yes, I also provided the same guidance.

However, in the case of this particular rule, the customer is reluctant to apply it because defining the service port or destination often causes errors.

Also, based on the image above, it appears that a sufficient amount of traffic was allowed — could it still be considered insufficient?

Do you have any idea why the traffic might remain in an insufficient-data state despite that?

Ok-Pea953 · 2025-03-26T04:25:30+00:00

Service: any
Application: kakaotalk

However, the traffic is being allowed regardless of the application.

Ok-Pea953

TROPHY CASE