Application-default gives you a way to safely enable applications on their most commonly-used ports. It allows you to write simple, application-based policy rules based on your business needs, while preventing attacks that attempt to bypass traditional port-based policies.

Now, because certain applications use a different default port when they are encrypted, application-default differentiates between cleartext and encrypted application traffic when SSL decryption is turned on. For the applications that require it, like web-browsing, application-default enforces the application on both the

standard port

—the port the cleartext application uses—and the

secure port

—the port the encrypted application uses.

In the case of web-browsing, for example, this means that application-default now strictly enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled web-browsing traffic only on port 443. Application-default for encrypted applications works by default and is supported for web-browsing, SMTP, FTP, LDAP, POP3 and IMAP traffic. For these applications, you can visit Applipedia or select

Objects

Applications

to view applications details, which include the secure port it uses when encrypted.

Application-default is a best practice for application-based security policies and SSL decryption: