App-ID, a patented traffic classification system only
available in Palo Alto Networks firewalls, determines what an application
is irrespective of port, protocol, encryption (SSH or SSL) or any
other evasive tactic used by the application. It applies multiple classification
mechanisms—application signatures, application protocol decoding, and
heuristics—to your network traffic stream to accurately identify
Here's how App-ID identifies applications traversing your network:
Traffic is matched against policy to check whether it
is allowed on the network.
Signatures are then applied to allowed traffic to identify
the application based on unique application properties and related
transaction characteristics. The signature also determines if the
application is being used on its default port or it is using a non-standard
port. If the traffic is allowed by policy, the traffic is then scanned
for threats and further analyzed for identifying the application more
If App-ID determines that encryption (SSL or SSH) is in use,
and a Decryption policy
rule is in place, the session is decrypted and application signatures
are applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional
context-based signatures to detect other applications that may be
tunneling inside of the protocol (for example, Yahoo! Instant Messenger
used across HTTP). Decoders validate that the traffic conforms to
the protocol specification and provide support for NAT traversal
and opening dynamic pinholes for applications such as SIP and FTP.
For applications that are particularly evasive and cannot
be identified through advanced signature and protocol analysis,
heuristics or behavioral analysis may be used to determine the identity
of the application.
When the application is identified, the policy check determines
how to treat the application, for example—block, or allow and scan
for threats, inspect for unauthorized file transfer and data patterns,
or shape using QoS.