>
    Strata Copilot
    Policy Object: Applications
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Applications
    Download PDF
    Network Security

    Policy Object: Applications

    Table of Contents

    Policy Object: Applications

    Exercise granular policy control over applications to minimize the range of unidentified traffic on your network, thereby reducing the attack surface.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    Your network traffic is automatically classified into applications that you can use to build a versatile Security policy based on your business needs (for example, allow Slack messages but block file transfers). The Applications object lists various attributes of each application definition, such as the application’s relative security risk (1 to 5). The risk value is based on criteria such as whether the application can share files, is prone to misuse, or tries to evade being detected. Higher values indicate higher risk.
    To configure this and any other Object settings, go to:
    • ConfigurationNGFW and Prisma AccessObjects on Cloud Managed deployments, and select the object you want to configure.
    • Objects on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.
    On the application page, you can:
    • Learn about applications, including their behavioral characteristics and risk level. This list includes over 3000 well-known and commercially available applications.
    • Create custom applications based on application characteristics or behavior. Create custom applications to classify internal applications (a custom payroll app), special interest applications (an annual sports event), or a nested application (classify a function separately from the parent application, like Facebook’s Words with Friends). Custom applications can be global or they can be applied only to specific mobile user, remote network, and service connection locations (the Locations column indicates the deployment types that can use the custom app).

    Applications Fields

    Here are the various applications fields. Custom applications and Palo Alto® Networks applications might display some or all of these fields.
    Application Details
    Description
    Name
    Name of the application.
    Description
    Description of the application (up to 255 characters).
    Additional Information
    Links to web sources (Wikipedia, Google, and Yahoo!) that contain additional information about the application.
    Standard Ports
    Ports that the application uses to communicate with the network.
    Depends on
    A list of other applications that are required for this application to run. When creating a security rule to allow the selected application, you must also be sure that you're allowing any other applications that the application depends on.
    Implicitly Uses
    Other applications that the selected application depends on but that you don't need to add to your Security rules to allow the selected application because those applications are supported implicitly.
    Previously Identified As
    For a new App-ID, or App-IDs that are changed, this indicates what the application was previously identified as. This helps you assess whether policy changes are required based on changes in the application. If an App-ID is disabled, sessions associated with that application will match the security rule as the previously identified as application. Similarly, disabled App-IDs will appear in logs as the application they were previous identified as.
    Deny Action
    App-IDs are developed with a default deny action that dictates the response when the application is included in a Security security rule with a deny action. The default deny action can specify either a silent drop or a TCP reset. You can override this default action in the Security policy.
    Characteristics
    Evasive
    Uses a port or protocol for something other than its originally intended purpose with the hope that it won't get detected.
    Excessive Bandwidth
    Consumes at least 1 Mbps regularly through normal use.
    Prone to Misuse
    Often used for nefarious purposes or is easily set up to expose more than the user intended.
    SaaS
    Software as a Service (SaaS) is characterized as a service where the software and infrastructure are owned and managed by the application service provider but where you retain full control of the data, including who can create, access, share, and transfer the data.
    Keep in mind that in the context of how an application is characterized, SaaS applications differ from web services. Web services are hosted applications where either the user does not own the data (for example, Pandora) or where the service is primarily comprised of sharing data fed by many subscribers for social purposes (for example, LinkedIn, Twitter, or Facebook).
    Capable of File Transfer
    It has the capability to transfer a file from one system to another over a network.
    Tunnels Other Applications
    It's able to transport other applications inside its protocol.
    Used by Malware
    Malware has been known to use the application for propagation, attack, or data theft, or is distributed with malware.
    Has Known Vulnerabilities
    Has publicly reported vulnerabilities.
    Pervasive
    Likely has more than 1,000,000 users.
    Continue Scanning for Other Applications
    Continue to try to match against other application signatures. If you don't select this option, additional application matches won't be sought out after the first matching signature.
    SaaS Characteristics
    Data Breaches
    Applications that may have released secure information to an untrusted source within the past three years.
    Poor Terms of Service
    Applications with unfavorable terms of service that can compromise enterprise data.
    No Certifications
    Applications lacking current compliance with industry programs or certifications such as SOC1, SOC 2, SSAE16, PCI, HIPAA, FINRAA, or FedRAMP.
    Poor Financial Viability
    Applications with the potential to be out of business within the next 18 to 24 months.
    No IP Restrictions
    Applications without IP-based restrictions for user access.
    Classification
    Category
    The application category will be one of the following:
    • business-systems
    • collaboration
    • general-internet
    • media
    • networking
    • unknown
    Subcategory
    The subcategory in which the application is classified. Different categories have different subcategories associated with them. For example, subcategories in the collaboration category include email, file sharing, instant-messaging, Internet-conferencing, social-business, social-networking, voip-video, and web-posting. Whereas subcategories in the business-systems category include auth-service, database, erp-crm, general-business, management, office-programs, software-update, and storage-backup.
    Technology
    The application technology will be one of the following:
    • client-server: An application that uses a client-server model where one or more clients communicate with a server in the network.
    • network-protocol: An application that is used for system-to-system communication that facilitates network operation. This includes most of the IP protocols.
    • peer-to-peer: An application that communicates directly with other clients to transfer information instead of relying on a central server to facilitate the communication.
    • browser-based: An application that relies on a web browser to function.
    Risk
    Assigned risk of the application.
    Tags
    Tags assigned to an application.
    Edit tags to add or remove tags for an application.
    Options
    Session Timeout
    The period of time, in seconds, required for the application to time out due to inactivity (range is 1-604800 seconds). This timeout is for protocols other than TCP or UDP. For TCP and UDP, refer to the next rows in this table.
    TCP Timeout (seconds)
    Timeout, in seconds, for terminating a TCP application flow (range is 1-604800).
    A value of 0 indicates that the global session timer will be used, which is 3600 seconds for TCP.
    UDP Timeout (seconds):
    Timeout, in seconds, for terminating a UDP application flow (range is 1-604800 seconds).
    TCP Half Closed (seconds)
    Maximum length of time, in seconds, that a session remains in the session table between receiving the first FIN packet and receiving the second FIN packet or RST packet. If the timer expires, the session is closed (range is 1-604800).
    Default: If this timer isn't configured at the application level, the global setting is used.
    If this value is configured at the application level, it overrides the global TCP Half Closed setting.
    TCP Time Wait (seconds)
    Maximum length of time, in seconds, that a session remains in the session table after receiving the second FIN packet or an RST packet. If the timer expires, the session is closed (range is 1-600).
    Default: If this timer isn't configured at the application level, the global setting is used.
    If this value is configured at the application level, it overrides the global TCP Time Wait setting.
    App-ID Enabled
    Indicates whether the App-ID is enabled or disabled. If an App-ID is disabled, traffic for that application will be treated as the Previously Identified As App-ID in both Security policy and in logs. For applications added after content release version 490, you have the ability to disable them while you review the impact on Security policy of the new app. After reviewing the security rule, you may choose to enable the App-ID. You also have the ability to disable an application that you have previously enabled. On a multi-vsys, you can disable App-IDs separately in each virtual system.

    Create a Custom Application

    Application Override Policy

    Change how your configuration classifies applications.
    Application Override policies bypass layer 7 processing and threat inspection and instead use less secure stateful layer 4 inspection. Application Override policies prevent layer 7 application identification and layer 7 threat inspection and prevention; do not use Application Override unless you must. Instead, create a custom application or create a custom service timeout so that you maintain visibility into, control, and inspect the application in regular layer 7 Security rules.
    Only use Application Override in the most highly trusted environments where you can apply the principle of least privilege strictly. Install endpoint protection on endpoints, install compensating protections on servers, and make the Application Override rule as restrictive as possible (only the necessary source, destination, users, applications, and services) since you have limited visibility into the traffic. If you must use Application Override and the traffic traverses multiple inspection points such as a data center and then a perimeter, apply Application Override consistently along the path.
    There are two main use cases for Application Override:
    • In Prisma Access, you can’t make application-level gateway (ALG) changes in the cloud and you can’t push them through Panorama, so if you need a SIP ALG, you may need to create an Application Override rule.
    • In environments where SMB traffic performance is critically low and Disable Server Response Inspection (DRSI) doesn’t improve performance enough, you may need to create an Application Override rule (Application Override rules are processed faster at the expense of security because they bypass layer 7 inspection).

    © 2025 Palo Alto Networks, Inc. All rights reserved.