PAN-OS: Understanding "Application Incomplete"

Understanding "Application Incomplete" in PAN-OS Logs

When reviewing Palo Alto Networks firewall Traffic logs, you might encounter sessions where the application field shows incomplete . This indicates that the firewall's App-ID engine was unable to identify the application associated with the session because it did not see enough data.

According to Palo Alto Networks Knowledge Base:

“Incomplete in the application field of the traffic log means that not enough packets were seen to identify the application.”

Source: What Does "Incomplete" Mean in the Application Field of Traffic Logs?

Three Common Reasons for "Application Incomplete"

The Knowledge Base article highlights the three most common scenarios leading to this state:

The three-way TCP handshake did not complete.
If the initial SYN, SYN/ACK, and ACK sequence isn't fully established from the firewall's perspective (due to drops, asymmetric routing, etc.), there's no stable connection for App-ID to analyze, resulting in incomplete .
The three-way TCP handshake completed, but no data was sent after the connection was established.
The connection was successfully set up (SYN, SYN/ACK, ACK seen), but the client or server never sent any actual application payload data over that connection before it terminated or timed out. App-ID needs payload data to identify the application.
The three-way TCP handshake completed, but the client or server sent a TCP reset (RST) before any data was exchanged.
The connection was established, but one side immediately terminated it with a RST packet *before* any application data could be sent and inspected by App-ID.

Why Other Possibilities Are Less Likely (or Different Tags)

Incorrect: `The client sent a TCP segment with the PUSH flag set.`

The TCP PSH flag is a normal part of TCP communication used to indicate that buffered data should be sent immediately to the receiving application. It does not prevent application identification and is not a cause for the incomplete tag.

Incorrect: `There is not enough application data after the TCP connection was established.`

This description more closely matches the insufficient-data application tag, not incomplete . insufficient-data means the handshake completed and *some* data was exchanged, but not enough for App-ID to make a definitive identification before the session ended. incomplete implies either the handshake failed or *no* application data was seen after the handshake.

🧠 Memory Aids (Mnemonics)

To remember the causes of application incomplete :

Simple Phrase: "Incomplete means: No Hello , No Talk , or Talk Cut Short ."
- No Hello: TCP handshake never finished.
- No Talk: Handshake done, but no data sent.
- Talk Cut Short: Handshake done, but RST/FIN before App-ID could inspect data.
Acronym: HDT
- H – Handshake not completed
- D – Data not sent after handshake
- T – Terminated early (RST before data exchange)
Failed Date Analogy: "No Handshake, No Data, Got Dumped"

📘 References

What Does "Incomplete" Mean in the Application Field of Traffic Logs? (PAN KB)