App-ID, a patented traffic classification system only
available in Palo Alto Networks firewalls, determines what an application
is irrespective of port, protocol, encryption (SSH or SSL) or any
other evasive tactic used by the application. It applies multiple
classification mechanisms—application signatures, application protocol
decoding, and heuristics—to your network traffic stream to accurately identify
Here's how App-ID identifies applications traversing your network:
Traffic is matched against policy to check whether it
is allowed on the network.
Signatures are then applied to allowed traffic to identify
the application based on unique application properties and related
transaction characteristics. The signature also determines if the
application is being used on its default port or it is using a non-standard
port. If the traffic is allowed by policy, the traffic is then scanned
for threats and further analyzed for identifying the application
If App-ID determines that encryption (SSL or SSH) is in use,
and a Decryption policy
rule is in place, the session is decrypted and application signatures
are applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional context-based
signatures to detect other applications that may be tunneling inside
of the protocol (for example, Yahoo! Instant Messenger used across HTTP).
Decoders validate that the traffic conforms to the protocol specification and
provide support for NAT traversal and opening dynamic pinholes for
applications such as SIP and FTP.
For applications that are particularly evasive and cannot
be identified through advanced signature and protocol analysis,
heuristics or behavioral analysis may be used to determine the identity
of the application.
When the application is identified, the policy check determines
how to treat the application, for example—block, or allow and scan
for threats, inspect for unauthorized file transfer and data patterns,
or shape using QoS.
Before you create an Application Override policy rule, make sure
you understand that the set of IPv4 addresses is treated as a subset
of the set of IPv6 addresses, as described in detail in Policy.