>
    Strata Copilot
    Configure Custom Applications
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Stacked Policies
    5. Custom Applications and System Application Overrides
    6. Configure Custom Applications
    Download PDF
    Prisma SD-WAN

    Configure Custom Applications

    Table of Contents

    Configure Custom Applications

    Configure custom applications on Prisma SD-WAN which you wish to include in your system for your enterprise. You may define custom applications based on either L3/L4 or L7 characteristics.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    Prisma SD-WAN Custom Applications are applications you wish to include in your system for your enterprise. You may define custom applications based on either L3/L4 or L7 characteristics.
    Palo Alto Network recommends to define port scanners as scanning application. This recommendation is based on two key operational considerations:
    • Session Prioritization and Aging: Scanning applications often generate thousands of sessions, which can consume significant session table resources. By explicitly identifying scanner traffic, the system ensures that legitimate application traffic is always prioritized. When a site approaches its session capacity, sessions associated with scanning applications are aged out first, preserving resources for business-critical traffic.
    • Optimized Use of Application Health Probes: Prisma SD-WAN uses application-level probes to monitor and validate the health of network paths when application connectivity issues are detected. These probes help determine when a previously degraded path has recovered and can be safely used again. However, scanning applications do not require this level of validation. When scanner traffic is properly classified, the system suppresses probe generation for these sessions, reducing unnecessary resource consumption and improving overall device efficiency.
    By following this best practice, you can improve overall system efficiency and maintain optimal performance for legitimate application traffic.
    Avoid implementing or modifying prefix filters with excessively high entry counts. Large prefix lists are not recommended while configuring custom applications, as they can exhaust the ION device’s memory and lead to Out Of Memory (OOM) failures.

    Layer 3/Layer 4 Applications

    1. Select ConfigurationPrisma SD-WANResourcesApplications.
    2. Click Add Application.
    3. Enter a Display Name.
      A suggested application abbreviation displays in the Abbreviation field.
    4. Select Network (L3/L4) for Identification.
    5. For UDP Filter Rules, include a mandatory port number, an (optional) DSCP value between 0 to 63, and an (optional) prefix filter.
      Layer 3 or Layer 4 applications require a port number and a prefix filter.
    6. For TCP Filter Rules, include the server port number, (optional) DSCP value between 0 to 63, and (optional) server prefix filter. The list of decimal values for common DSCP names are:
      Decimal ValueHex ValueMeaning
      00x00Best effort (CS0 - Default)
      80x08CS1
      100x0AAF11
      120x0CAF12
      140x0EAF13
      160x010CS2
      180x012AF21
      200x014AF22
      220x016AF23
      240x018CS3
      260x01AAF31
      280x01CAF32
      300x01EAF33
      320x020CS4
      340x022AF41
      360x024AF42
      380x026AF43
      400x028 CS5
      460x02E Expedited forwarding (EF)
      480x030CS6
      560x038CS7
      Prefix filters with respective ports are required for a custom application. Although it is possible to reuse prefix filters, the ports need to be unique for each custom application.
      For prefix filters, define one or more IP addresses or subnets. IP addresses within a prefix are defined by the subnet. For example, 10.1.1.0/24 defines the entire limit of 255 IP addresses in that subnet.
      For global prefix filters, enter an IP and subnet address and for local prefix filters, select a site in addition to entering an IP and subnet address.
    7. For IP Rules, choose a protocol, and enter a DSCP marking and a destination prefix filter.
      1. Select a protocol from the Protocol drop-down. For example, GRE, or ICMP.
      2. (Optional) Enter a value in the range of 0 – 63 for DSP.
      3. Select a prefix filter from the Destination Prefix Filters drop-down.
        Up to eight destination prefixes may be added. You may add a new prefix filter by clicking Create New Filter, if prefix filters is not already defined.
      4. Select a prefix filter from the Source Prefix Filters drop-down.
        Up to eight destination prefixes may be added. You may add a new prefix filter by clicking Create New Filter, if prefix filters is not already defined.
    8. Select Apply.
      The new custom application displays under Custom Applications.

    Layer 7 Applications

    1. Select ConfigurationPrisma SD-WANResourcesApplications.
    2. Click Add Application.
      A suggested application abbreviation displays in the Abbreviation field.
    3. Select Application L7 for Identification.
    4. For Domain, enter a domain name.
      Domain names are case sensitive. Ensure that the domain name matches the name displayed as per the Server Name Indication (SNI), so that Prisma SD-WAN detects the application as an L7 custom application.
      Layer 7 applications require a domain name or URL address. You may add up to 16 domain names. You can accomplish a wildcard match by specifying the parent domain. For example, if you have an application that leverages different sub-domains, a search for the parent domain produces a result with all sub-domains.
    5. From the App Category drop-down, select a category.
    6. From the Transfer Type drop-down, select transfer type to be Transactional, Bulk, Real-Time Audio, or Real-Time Video.
      The order in which the queues are serviced within a priority level is Real-time audio, Real-time video, Transactional, and Bulk. This selection directly impacts the queue in which the traffic is placed within a priority tier (Platinum, Gold, Silver, or Bronze), as defined in a policy rule.
    7. Enter an Ingress Traffic Percentage.
      Ingress traffic percentage is the amount of traffic in bytes for a given application received by the ION device in the WAN-to-LAN direction compared to the overall traffic for that application. This percentage determines the weight given to bandwidth capacity and utilization when the system makes path-selection decisions. For example, 50% would provide equal weight to both ingress and egress traffic.
    8. Enter Connection Idle Timeout in seconds.
      Timeout, in terms of resources allocated, is when an application flow is maintained in the system when there is no traffic flow for the application. After the specified timeout, the flow is deleted from the system
    9. Set Path Affinity to Strict or None.
      • Strict—If a path selected for a client session is available within a policy, subsequent application sessions from the same client for this application adheres to the originally-selected path.
      • None—It is the opposite of strict. Each subsequent client session is free to take any path allowed by policy as long as that path is available within the service level agreement (SLA).
    10. Use the Using Unreachability Detection option to monitor applications for reachability.
      When the branch ION device is reaching the limits of its concurrent connection capacity, it would drop flows identified as network scan apps in order to prioritize real application flows. Existing and new flows matching scan apps will be evicted or not admitted when the ION device is at the flow limit making room for real user traffic flows.
      Use application reachability to determine if an application is reachable on a given path. This information is useful when making path selection decisions. If an application is considered unreachable on a given path, then that path is not used. If all paths are marked unavailable, then one of the active paths is selected as defined in the application path policy.
      The ION device continuously monitors the communication between clients (on the LAN side) and servers (on the WAN side). If the ION device determines that a server is not responding to a client's messages on a given path, it triggers the application reachability feature. The ION device actively probes the server on that path to ensure that the server is reachable and responding.
      The ION device monitors communication only for the TCP flows initiated from the LAN side of the ION device. All TCP applications have unreachability detection enabled by default. When configuring a custom application, this feature can be disabled optionally.
    11. Enable Network Scan App to designate custom applications as network scan applications.
      This functionality is disabled by default. Enabling the attribute on an existing custom application applies only for new flows coming in and hitting the application after the configuration is made. Existing flows hitting the custom application do not inherit the configuration.
      When you enable Network Scan App, ensure that you deselect Use Unreachability Detection and set Path Affinity to None.
    12. Select Apply.
      The new custom application displays under Custom Applications.

    © 2026 Palo Alto Networks, Inc. All rights reserved.