Create an application override policy to designate applications be processed using fast path Layer-4 inspection instead of using the App-ID for Layer-7 inspection. This forces the security enforcement node to handle the session as a regular stateful inspection and saves application processing times. You can create an application override policy rule when you do not want traffic inspection for custom applications between known IP addresses. For example, if you have a custom application on a non-standard port that you know users accessing the application are sanctioned, and both are in the Trust zone, you can override the application inspection requirements for the trusted users accessing the custom application.

To change how Prisma Access classifies applications, go to ManageConfigurationNGFW and Prisma AccessNetwork PoliciesApplication Override to then create your application override policy rule.

Consider that when you create an application override policy rule, you’re limiting App-ID from classifying your deployment's traffic and performing threat inspection based on that application identification. To support internal proprietary applications, it’s worth thinking about creating a custom application (instead of an application override rule) that include the application signature so that Strata Cloud Manager performs layer 7 inspection and scans the application traffic for threats. To create a custom application, go to ManageConfigurationNGFW and Prisma AccessObjectsApplications.

Use the following sections to configure an application override rule:

• Source
  • Zones—Add source zones.
  • Addresses—Add source addresses, address groups, or regions and specify the settings.
• Destination
  • Zones—Add to choose destination zones.
  • Addresses—Add source addresses, address groups, or regions and specify the settings.
• Application
  • Application—Select the override application for traffic flows that match the above rule criteria. When overriding to a custom application, there is no threat inspection that is performed. The exception to this is when you override to a pre-defined application that supports threat inspection.
    To define new applications, go to ManageConfigurationNGFW and Prisma AccessObjectsApplications.
• Protocol
  • Protocol—Select the protocol (TCP or UDP) for which to allow an application override.
  • Port—Enter the port number (0 to 65535) or range of port numbers (port1-port2) for the specified destination addresses. Multiple ports or ranges must be separated by commas.