Network Security
Policy Object: Applications
Table of Contents
Policy Object: Applications
Exercise granular policy control over applications to minimize the range of
unidentified traffic on your network, thereby reducing the attack surface.
Your network traffic is automatically classified into applications that you can use
to build a versatile Security policy based on your business needs (for example, allow
Slack messages but block file transfers). The Applications object lists various
attributes of each application definition, such as the application’s relative security
risk (1 to 5). The risk value is based on criteria such as whether the application can
share files, is prone to misuse, or tries to evade being detected. Higher values
indicate higher risk.
To configure this and any other Object
settings, go to:
- on Cloud Managed deployments, and select the object you want to configure.
- on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.
On the application page, you can:
- Learn about applications, including their behavioral characteristics and risk level. This list includes over 3000 well-known and commercially available applications.
- Create custom applications based on application characteristics or behavior. Create custom applications to classify internal applications (a custom payroll app), special interest applications (an annual sports event), or a nested application (classify a function separately from the parent application, like Facebook’s Words with Friends). Custom applications can be global or they can be applied only to specific mobile user, remote network, and service connection locations (theLocationscolumn indicates the deployment types that can use the custom app).
Applications Fields
Here are the various applications fields. Custom applications and Palo
Alto® Networks applications might display some or all of these fields.
Application Details | Description |
|---|---|
Name | Name of the application. |
Description | Description of the application (up to 255 characters). |
Additional Information | Links to web sources (Wikipedia, Google, and Yahoo!) that contain
additional information about the application. |
Standard Ports | Ports that the application uses to communicate with the
network. |
Depends on | A list of other applications that are required for this
application to run. When creating a security rule to allow the
selected application, you must also be sure that you're allowing
any other applications that the application depends on. |
Implicitly Uses | Other applications that the selected application depends on but
that you don't need to add to your Security rules to
allow the selected application because those applications are
supported implicitly. |
Previously Identified As | For a new App-ID, or App-IDs that are changed, this indicates
what the application was previously identified as. This helps
you assess whether policy changes are required based on changes
in the application. If an App-ID is disabled, sessions
associated with that application will match the security rule as
the previously identified as application. Similarly, disabled
App-IDs will appear in logs as the application they were
previous identified as. |
Deny Action | App-IDs are developed with a default deny action that dictates
the response when the application is included in a Security
security rule with a deny action. The default deny action can
specify either a silent drop or a TCP reset. You can override
this default action in the Security policy. |
Characteristics | |
Evasive | Uses a port or protocol for something other than its originally
intended purpose with the hope that it won't get detected. |
Excessive Bandwidth | Consumes at least 1 Mbps regularly through normal use. |
Prone to Misuse | Often used for nefarious purposes or is easily set up to expose
more than the user intended. |
SaaS | Software as a Service (SaaS) is characterized as a service where
the software and infrastructure are owned and managed by the
application service provider but where you retain full control
of the data, including who can create, access, share, and
transfer the data. Keep in mind that in the context of how an application is
characterized, SaaS applications differ from web services. Web
services are hosted applications where either the user does not
own the data (for example, Pandora) or where the service is
primarily comprised of sharing data fed by many subscribers for
social purposes (for example, LinkedIn, Twitter, or
Facebook). |
Capable of File Transfer | It has the capability to transfer a file from one system to
another over a network. |
Tunnels Other Applications | It's able to transport other applications inside its
protocol. |
Used by Malware | Malware has been known to use the application for propagation,
attack, or data theft, or is distributed with malware. |
Has Known Vulnerabilities | Has publicly reported vulnerabilities. |
Pervasive | Likely has more than 1,000,000 users. |
Continue Scanning for Other Applications | Continue to try to match against other application signatures. If
you don't select this option, additional application matches
won't be sought out after the first matching signature. |
SaaS Characteristics | |
Data Breaches | Applications that may have released secure information to an
untrusted source within the past three years. |
Poor Terms of Service | Applications with unfavorable terms of service that can
compromise enterprise data. |
No Certifications | Applications lacking current compliance with industry programs or
certifications such as SOC1, SOC 2, SSAE16, PCI, HIPAA, FINRAA,
or FedRAMP. |
Poor Financial Viability | Applications with the potential to be out of business within the
next 18 to 24 months. |
No IP Restrictions | Applications without IP-based restrictions for user access. |
Classification | |
Category | The application category will be one of the following:
|
Subcategory | The subcategory in which the application is classified. Different
categories have different subcategories associated with them.
For example, subcategories in the collaboration category include
email, file sharing, instant-messaging, Internet-conferencing,
social-business, social-networking, voip-video, and web-posting.
Whereas subcategories in the business-systems category include
auth-service, database, erp-crm, general-business, management,
office-programs, software-update, and storage-backup. |
Technology | The application technology will be one of the following:
|
Risk | Assigned risk of the application. |
Tags | Tags assigned to an application. Edit tags to add or remove tags for an application. |
Options | |
Session Timeout | The period of time, in seconds, required for the application to
time out due to inactivity (range is 1-604800 seconds). This
timeout is for protocols other than TCP or UDP. For TCP and UDP,
refer to the next rows in this table. |
TCP Timeout (seconds) | Timeout, in seconds, for terminating a TCP application flow
(range is 1-604800). A value of 0 indicates that the global session timer will be
used, which is 3600 seconds for TCP. |
UDP Timeout (seconds): | Timeout, in seconds, for terminating a UDP application flow
(range is 1-604800 seconds). |
TCP Half Closed (seconds) | Maximum length of time, in seconds, that a session remains in the
session table between receiving the first FIN packet and
receiving the second FIN packet or RST packet. If the timer
expires, the session is closed (range is 1-604800). Default: If this timer isn't configured at the application level,
the global setting is used. If this value is configured at the application level, it
overrides the global TCP Half Closed setting. |
TCP Time Wait (seconds) | Maximum length of time, in seconds, that a session remains in the
session table after receiving the second FIN packet or an RST
packet. If the timer expires, the session is closed (range is
1-600). Default: If this timer isn't configured at the application level,
the global setting is used. If this value is configured at the application level, it
overrides the global TCP Time Wait setting. |
App-ID Enabled | Indicates whether the App-ID is enabled or disabled. If an App-ID
is disabled, traffic for that application will be treated as the
Previously Identified As App-ID in both Security policy and in
logs. For applications added after content release version 490,
you have the ability to disable them while you review the impact on Security policy of the new app. After reviewing the security rule, you may
choose to enable the App-ID. You also have the ability to
disable an application that you have previously enabled. On a
multi-vsys, you can disable App-IDs separately in each virtual
system. |
Create a Custom Application
Cloud Managed
Exercise granular policy control over applications to minimize the range of
unidentified traffic on your network, thereby reducing the attack surface.
To safely enable applications you must classify all traffic, across all ports, all
the time. With App-ID, the only applications that are typically classified as
unknown traffic—tcp, udp or non-syn-tcp—in the ACC and the Traffic logs are
commercially available applications that have not yet been added to App-ID, internal
or custom applications on your network, or potential threats.
If you're seeing unknown traffic for a commercial application that does not yet
have an App-ID, you can submit a request for a new App-ID here: http://researchcenter.paloaltonetworks.com/submit-an-application/.
To ensure that your internal custom applications don't show up as unknown traffic,
create a custom application. You can then exercise granular policy control over
these applications in order to minimize the range of unidentified traffic on your
network, thereby reducing the attack surface. Creating a custom application also
allows you to correctly identify the application in the ACC and Traffic logs, which
enables you to audit/report on the applications on your network.
To create a custom application, you must define the application attributes: its
characteristics, category, and sub-category, risk, port, timeout. In addition, you
must define patterns or values that the your configuration can use to match to the
traffic flows themselves (the signature). Finally, you can attach the
custom application to a Security rule that allows or denies the application
(or add it to an application group or match it to an application filter). You can
also create custom applications to identify ephemeral applications with topical
interest, such as ESPN3-Video for world cup soccer or March Madness.
In order to collect the right data to create a custom application signature,
you'll need a good understanding of packet captures and how datagrams are
formed. If the signature is created too broadly, you might inadvertently include
other similar traffic; if it's defined too narrowly, the traffic will evade
detection if it does not strictly match the pattern.
Custom applications are stored in a separate database on the firewall and this
database isn't impacted by the weekly App-ID updates.
The supported application protocol decoders that enable the firewall to detect
applications that may be tunneling inside of the protocol include the following
as of content release version 609: FTP, HTTP, IMAP, POP3, SMB, and SMTP.
The following is a basic example of how to create a custom application.
- Gather information about the application that you will be able to use to write custom signatures.To do this, you must have an understanding of the application and how you want to control access to it. For example, you may want to limit what operations users can perform within the application (such as uploading, downloading, or live streaming). Or you may want to allow the application, but enforce QoS policing.
- Capture application packets so that you can find unique characteristics about the application on which to base your custom application signature. One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture the packets between the client and the server. Perform different actions in the application, such as uploading and downloading, so that you will be able to locate each type of session in the resulting packet captures (PCAPs).
- Because the firewall by default takes packet captures for all unknown traffic, if the firewall is between the client and the server you can view the packet capture for the unknown traffic directly from the Traffic log.
- Use the packet captures to find patterns or values in the packet contexts that you can use to create signatures that will uniquely match the application traffic. For example, look for string patterns in HTTP response or request headers, URI paths, or hostnames. For information on the different string contexts you can use to create application signatures and where you can find the corresponding values in the packet, refer to Creating Custom Threat Signatures.
- Add the custom application.
- Select and selectAdd Application.
- On theConfigurationtab, enter aNameand aDescriptionfor the custom application that will help other administrators understand why you created the application.
- Define the application Properties and Characteristics.
- Define details about the application, such as the underlying protocol, the port number the application runs on, the timeout values, and any types of scanning you want to be able to perform on the traffic.On theAdvancedtab, define settings that will allow the firewall to identify the application protocol:
- Specify the default ports or protocol that the application uses.
- Specify the session timeout values. If you don’t specify timeout values, the default timeout values will be used.
- Indicate any type of additional scanning you plan to perform on the application traffic.
For example, to create a custom TCP-based application that runs over SSL, but uses port 4443 (instead of the default port for SSL, 443), you would specify the port number. By adding the port number for a custom application, you can create security rules that use the default port for the application rather than opening up additional ports on the firewall. This improves your security posture.
- Define the criteria that the firewall will use to match the traffic to the new application.You will use the information you gathered from the packet captures to specify unique string context values that the firewall can use to match patterns in the application traffic.
- On theSignaturestab, clickAddand define aSignature Nameand optionally aCommentto provide information about how you intend to use this signature.
- Specify theScopeof the signature: whether it matches to a fullSessionor a singleTransaction.
- Specify conditions to define signatures by clickingAdd And ConditionorAdd Or Condition.
- Select anOperatorto define the type of match conditions you will use:Pattern MatchorEqual To.
- If you selectedPattern Match, select theContextand then use a regular expression to define thePatternto match the selected context. Optionally, clickAddto define a qualifier/value pair. TheQualifierlist is specific to theContextyou chose.
- If you selectedEqual To, select theContextand then use a regular expression to define thePositionof the bytes in the packet header to use match the selected context. Choose fromfirst-4bytesorsecond-4bytes. Define the 4-byte hex value for theMask(for example, 0xffffff00) andValue(for example, 0xaabbccdd).
For example, if you're creating a custom application for one of your internal applications, you could use thessl-rsp-certificate Contextto define a pattern match for the certificate response message of an SSL negotiation from the server and create aPatternto match the Common Name of the server in the message as shown here:
- If the order in which your configuration attempts to match the signature definitions is important, make sure theOrdered Condition Matchcheck box is selected and then order the conditions so that they are evaluated in the appropriate order. Select a condition or a group and select the Up Arrow or Down Arrow. You can't move conditions from one group to another.
- SelectAddto save the signature definition.
- Savethe application.
- Validate that traffic matches the custom application as expected.
- Select and selectAdd Ruleadd a Security security rule to allow the new application.
- Run the application from a client system and then check the Traffic logs () to make sure that you see traffic matching the new application (and that it's being handled per your policy rule).
PAN-OS & Panorama
Exercise granular policy control over applications to minimize the range of
unidentified traffic on your network, thereby reducing the attack surface.
To safely enable applications you must classify all traffic, across all ports, all
the time. With App-ID, the only applications that are typically classified as
unknown traffic—tcp, udp or non-syn-tcp—in the ACC and the Traffic logs are
commercially available applications that have not yet been added to App-ID, internal
or custom applications on your network, or potential threats.
If you're seeing unknown traffic for a commercial application that does not yet
have an App-ID, you can submit a request for a new App-ID here: http://researchcenter.paloaltonetworks.com/submit-an-application/.
To ensure that your internal custom applications don't show up as unknown traffic,
create a custom application. You can then exercise granular policy control over
these applications to minimize the range of unidentified traffic on your network,
thereby reducing the attack surface. Creating a custom application also allows you
to correctly identify the application in the ACC and Traffic logs, which enables you
to audit/report on the applications on your network.
To create a custom application, you must define the application attributes: its
characteristics, category, and sub-category, risk, port, timeout. In addition, you
must define patterns or values that the firewall can use to match to the traffic
flows themselves (the signature). Finally, you can attach the custom
application to a Security rule that allows or denies the application (or add
it to an application group or match it to an application filter). You can also
create custom applications to identify ephemeral applications with topical interest,
such as ESPN3-Video for world cup soccer or March Madness.
In order to collect the right data to create a custom application signature,
you'll need a good understanding of packet captures and how datagrams are
formed. If the signature is created too broadly, you might inadvertently include
other similar traffic; if it's defined too narrowly, the traffic will evade
detection if it does not strictly match the pattern.
Custom applications are stored in a separate database on the firewall and this
database isn't impacted by the weekly App-ID updates.
The supported application protocol decoders that enable the firewall to detect
applications that may be tunneling inside of the protocol include the following
as of content release version 609: FTP, HTTP, IMAP, POP3, SMB, and SMTP.
The following is a basic example of how to create a custom application.
- Gather information about the application that you will be able to use to write custom signatures.To do this, you must have an understanding of the application and how you want to control access to it. For example, you may want to limit what operations users can perform within the application (such as uploading, downloading, or live streaming). Or you may want to allow the application, but enforce QoS policing.
- Capture application packets so that you can find unique characteristics about the application on which to base your custom application signature. One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture the packets between the client and the server. Perform different actions in the application, such as uploading and downloading, so that you will be able to locate each type of session in the resulting packet captures (PCAPs).
- Because the firewall by default takes packet captures for all unknown traffic, if the firewall is between the client and the server you can view the packet capture for the unknown traffic directly from the Traffic log.
- Use the packet captures to find patterns or values in the packet contexts that you can use to create signatures that will uniquely match the application traffic. For example, look for string patterns in HTTP response or request headers, URI paths, or hostnames. For information on the different string contexts you can use to create application signatures and where you can find the corresponding values in the packet, refer to Creating Custom Threat Signatures.
- Add the custom application.
- Select and clickAdd.
- On theConfigurationtab, enter aNameand aDescriptionfor the custom application that will help other administrators understand why you created the application.
- (Optional) SelectSharedto create the object in a shared location for access as a shared object in Panorama or for use across all virtual systems in a multiple virtual system firewall.
- Define the application Properties and Characteristics.
- Define details about the application, such as the underlying protocol, the port number the application runs on, the timeout values, and any types of scanning you want to be able to perform on the traffic.On theAdvancedtab, define settings that will allow the firewall to identify the application protocol:
- Specify the default ports or protocol that the application uses.
- Specify the session timeout values. If you don’t specify timeout values, the default timeout values will be used.
- Indicate any type of additional scanning you plan to perform on the application traffic.
For example, to create a custom TCP-based application that runs over SSL, but uses port 4443 (instead of the default port for SSL, 443), you would specify the port number. By adding the port number for a custom application, you can create security rules that use the default port for the application rather than opening up additional ports on the firewall. This improves your security posture.
- Define the criteria that the firewall will use to match the traffic to the new application.You will use the information you gathered from the packet captures to specify unique string context values that the firewall can use to match patterns in the application traffic.
- On theSignaturestab, clickAddand define aSignature Nameand optionally aCommentto provide information about how you intend to use this signature.
- Specify theScopeof the signature: whether it matches to a fullSessionor a singleTransaction.
- Specify conditions to define signatures by clickingAdd And ConditionorAdd Or Condition.
- Select anOperatorto define the type of match conditions you will use:Pattern MatchorEqual To.
- If you selectedPattern Match, select theContextand then use a regular expression to define thePatternto match the selected context. Optionally, clickAddto define a qualifier/value pair. TheQualifierlist is specific to theContextyou chose.
- If you selectedEqual To, select theContextand then use a regular expression to define thePositionof the bytes in the packet header to use match the selected context. Choose fromfirst-4bytesorsecond-4bytes. Define the 4-byte hex value for theMask(for example, 0xffffff00) andValue(for example, 0xaabbccdd).
For example, if you're creating a custom application for one of your internal applications, you could use thessl-rsp-certificate Contextto define a pattern match for the certificate response message of an SSL negotiation from the server and create aPatternto match the Common Name of the server in the message as shown here:
- If the order in which the firewall attempts to match the signature definitions is important, make sure theOrdered Condition Matchcheck box is selected and then order the conditions so that they are evaluated in the appropriate order. Select a condition or a group and clickMove UporMove Down. You can't move conditions from one group to another.
- ClickOKto save the signature definition.
- Save the application.
- ClickOKto save the custom application definition.
- ClickCommit.
- Validate that traffic matches the custom application as expected.
- Select andAdda Security rule to allow the new application.
- Run the application from a client system that is between the firewall and the application and then check the Traffic logs () to make sure that you see traffic matching the new application (and that it's being handled per your policy rule).
Application Override Policy
Change how your configuration classifies applications.
Application Override policies bypass layer 7 processing and threat inspection and
instead use less secure stateful layer 4 inspection. Application Override policies
prevent layer 7 application identification and layer 7 threat inspection and
prevention; do not use Application Override unless you must. Instead, create a
custom application or create a custom
service timeout so that you
maintain visibility into, control, and inspect the application in regular layer 7
Security rules.
Only use Application Override in the most highly trusted environments where you can
apply the principle of least privilege strictly. Install endpoint protection on
endpoints, install compensating protections on servers, and make the Application
Override rule as restrictive as possible (only the necessary source, destination,
users, applications, and services) since you have limited visibility into the
traffic. If you must use Application Override and the traffic traverses multiple
inspection points such as a data center and then a perimeter, apply Application
Override consistently along the path.
There are two main use cases for Application Override:
- InPrisma Access, you can’t make application-level gateway (ALG) changes in the cloud and you can’t push them through Panorama, so if you need a SIP ALG, you may need to create an Application Override rule.
- In environments where SMB traffic performance is critically low and Disable Server Response Inspection (DRSI) doesn’t improve performance enough, you may need to create an Application Override rule (Application Override rules are processed faster at the expense of security because they bypass layer 7 inspection).
Cloud Managed
Stateful layer 4 inspection for SIP-ALG and SMB traffic that overrides
application-based policy.
Palo Alto Networks determines what an application is irrespective of port, protocol,
encryption, (SSH or SSL) or any other evasive tactic used by the application.
Configure your won Application Override Policy to chance how traffic get classified
to support internal or proprietary application.
To change how your configuration classifies network traffic into applications, you
can specify application override policies. For example, if you want to control one
of your custom applications, an application override policy can be used to identify
traffic for that application according to zone, source and destination address, and
protocol. If you have network applications that are classified as “unknown,” you can
create new application definitions for them
Review your existing policy rulebase. If you have any Application Override rules for
traffic other than SMB or SIP, convert the rule to an App-ID based rule so that you
can decrypt and inspect the traffic at layer 7 and prevent threats.
To create an application override:
- First go to and create a custom application. This is the application that you want traffic to match instead of the App-IDPrisma Accessuses.
- Return to to then create your application override security rule.This rule specifies whenPrisma Accessshould invoke the custom application.Consider that when you create an application override security rule, you’re limitingPrisma AccessApp-ID from classifying traffic and performing threat inspection based on that application identification.To support internal proprietary applications, it’s worth thinking about creating a custom application (instead of an application override rule) that include the application signature so thatPrisma Accessperforms layer 7 inspection and scans the application traffic for threats.
PAN-OS & Panorama
Stateful layer 4 inspection for SIP-ALG and SMB traffic that overrides
application-based policy.
Palo Alto Networks determines what an application is irrespective of port, protocol,
encryption, (SSH or SSL) or any other evasive tactic used by the application.
Configure your own Application Override Policy to chance how traffic get classified
to support internal or proprietary application.
To change how your configuration classifies network traffic into applications, you
can specify application override policies. For example, if you want to control one
of your custom applications, an application override policy can be used to identify
traffic for that application according to zone, source and destination address,
port, and protocol. If you have network applications that are classified as
“unknown,” you can create new application definitions for them
Review your existing policy rulebase. If you have any Application Override rules for
traffic other than SMB or SIP, convert the rule to an App-ID based rule so that you
can decrypt and inspect the traffic at layer 7 and prevent threats.
To create an application override:
- Go to and create a custom application. This is the application that you want traffic to match instead of the App-ID your configuration uses.
- Go to to then create your application override security rule.This rule specifies whenPrisma Accessshould invoke the custom application.Consider that when you create an application override security rule, you’re limitingPrisma AccessApp-ID from classifying traffic and performing threat inspection based on that application identification.To support internal proprietary applications, it’s worth thinking about creating a custom application (instead of an application override rule) that include the application signature so thatPrisma Accessperforms layer 7 inspection and scans the application traffic for threats.