Network Security
Application Override Policy (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Application Override Policy (PAN-OS & Panorama)
Stateful layer 4 inspection for SIP-ALG and SMB traffic that overrides
application-based policy.
Palo Alto Networks determines what an application is irrespective of port, protocol,
encryption, (SSH or SSL) or any other evasive tactic used by the application.
Configure your own Application Override Policy to chance how traffic get classified
to support internal or proprietary application.
To change how your configuration classifies network traffic into applications, you
can specify application override policies. For example, if you want to control one
of your custom applications, an application override policy can be used to identify
traffic for that application according to zone, source and destination address,
port, and protocol. If you have network applications that are classified as
“unknown,” you can create new application definitions for them
Review your existing policy rulebase. If you have any Application Override rules for
traffic other than SMB or SIP, convert the rule to an App-ID based rule so that you
can decrypt and inspect the traffic at layer 7 and prevent threats.
To create an application override:
- Go to ObjectsApplicationsAdd and create a custom application. This is the application that you want traffic to match instead of the App-ID your configuration uses.Go to PoliciesApplication Override to then create your application override security rule.This rule specifies when Prisma Access should invoke the custom application.Consider that when you create an application override security rule, you’re limiting Prisma Access App-ID from classifying traffic and performing threat inspection based on that application identification.To support internal proprietary applications, it’s worth thinking about creating a custom application (instead of an application override rule) that include the application signature so that Prisma Access performs layer 7 inspection and scans the application traffic for threats.