Service Versus Applications in PBF
PBF rules are applied either on the first packet (SYN)
or the first response to the first packet (SYN/ACK). This means
that a PBF rule may be applied before the firewall has enough information
to determine the application. Therefore, application-specific rules
are not recommended for use with PBF. Whenever possible, use a service
object, which is the Layer 4 port (TCP or UDP) used by the protocol
or application.
However, if you specify an application in a PBF rule, the firewall
performs
App-ID caching. When an application passes
through the firewall for the first time, the firewall does not have
enough information to identify the application and therefore cannot
enforce the PBF rule. As more packets arrive, the firewall determines
the application and creates an entry in the App-ID cache and retains
this App-ID for the session.When a new session is created with the
same destination IP address, destination port, and protocol ID,
the firewall could identify the application as the same from the
initial session (based on the App-ID cache) and apply the PBF rule.
Therefore, a session that is not an exact match and is not the same
application, can be forwarded based on the PBF rule.
Further, applications have dependencies and the identity of the
application can change as the firewall receives more packets. Because
PBF makes a routing decision at the start of a session, the firewall
cannot enforce a change in application identity. YouTube, for example,
starts as web-browsing but changes to Flash, RTSP, or YouTube based
on the different links and videos included on the page. However
with PBF, because the firewall identifies the application as web-browsing
at the start of the session, the change in application is not recognized
thereafter.
You cannot use custom applications, application filters,
or application groups in PBF rules.