Skip to main content
PlatformTeam
PlatformTeam
New Member
October 21, 2024
Question

FortiClient - Blocked (Unknown.Application): Unknown.Application

  • October 21, 2024
  • 1 reply
  • 1310 views

Hi
I am seeing this error on a number of our MacOS clients but I have no idea how to debug where this comes from.

Is there a way to see more infrormation on this?

 

The clients all connect to an EMS solution - but this just shows a count, a threat ID of 0 and the same message.

 

Thanks in advance

1 reply

AEK
SuperUser
AEK
SuperUser
October 21, 2024

Hello

When you export FCT logs, you can check the file appfw.log, it may contain further info about the issue.

AEK
PlatformTeam
PlatformTeamAuthor
New Member
October 22, 2024

hmm, not really

20241022 10:21:44.597 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=0 dstaddr=10.10.1.95:65190 20241022 10:39:23.365 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=8 dstaddr=209.85.203.138:443 20241022 10:40:10.392 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=0 dstaddr=10.10.1.25:49030 20241022 12:26:05.687 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=8 dstaddr=ff02::b:37809 20241022 12:44:51.390 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=8 dstaddr=10.10.1.25:55193 20241022 13:05:15.357 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=8 dstaddr=74.125.193.95:443 20241022 13:17:09.149 TZ=+0100 [appfw:WARN] ips_utils:531 IPS_INFO: name="Unknown.Application" severity=0 vid=0 app_cat=0 group=application action=Pass(0) flags=0 dstaddr=10.10.1.114:50565

The two public IP addresses listed resolve to be google!
The private addresses are things on the local network - such as an AppleTV device so I can only assume that they are broadcasting or something.

 

With severity=0 and no obvious issues from the client side, I wonder what the purpose of these errors are

 

Terms & ConditionsAccessibility statement