To change how the firewall classifies network traffic into applications, you can specify application override policies. For example, if you want to control one of your custom applications, an application override policy can be used to identify traffic for that application according to zone, source and destination address, port, and protocol. If you have network applications that are classified as “unknown,” you can create new application definitions for them.
Like security policies, application override policies can be as general or specific as needed. The policy rules are compared against the traffic in sequence, so the more specific rules must precede the more general ones.
Because the App-ID engine in PAN-OS classifies traffic by identifying the application-specific content in network traffic, the custom application definition cannot simply use a port number to identify an application. The application definition must also include traffic (restricted by source zone, source IP address, destination zone, and destination IP address).
To create a custom application with application override:
Create a custom application (see Defining Applications). It is not required to specify signatures for the application if the application is used only for application override rules.
Define an application override policy that specifies when the custom application should be invoked. A policy typically includes the IP address of the server running the custom application and a restricted set of source IP addresses or a source zone.
Use the following tables to configure an application override rule.
Looking for more?
Application Override General Tab
Select the General tab to configure a name and description for the application override policy. A tag can also be configured to allow you to sort or filter policies when a large number of policies exist.
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description Enter a description for the rule (up to 255 characters).
Tag If you need to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
Application Override Source Tab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to which the application override policy will be applied.
Field Description
Source Zone Click Add to choose source zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
Source Address Click Add to add source addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings. Select Negate to choose any address except the configured ones.
Application Override Destination Tab
Select the Destination tab to define the destination zone or destination address that defines the destination traffic to which the policy will be applied.
Field Description
Destination Zone Click Add to choose destination zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
Destination Address Click Add to add destination addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings. Select Negate to choose any address except the configured ones.
Application Override Protocol/Application Tab
Select the Protocol/Application tab to define the protocol (TCP or UDP), port, and application that further defines the attributes of the application for the policy match.
Field Description
Protocol Select the protocol for which the application can be overridden.
Port Enter the port number (0 to 65535) or range of port numbers (port1-port2) for the specified destination addresses. Multiple ports or ranges must be separated by commas.
Application Select the override application for traffic flows that match the above rule criteria. When overriding to a custom application, there is no threat inspection that is performed. The exception to this is when you override to a pre-defined application that supports threat inspection. To define new applications, refer to Objects > Applications).

Related Documentation