Palo Alto Networks Knowledgebase: How much data is necessary to recognize an application

How much data is necessary to recognize an application

3797
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
Resolution

In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.

 

To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.

 

Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake).

In most cases, the application will be recognized before receiving that amount of data.

 

If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language