Does threat inspection occur when using an app-override to unknown-tcp?

Does threat inspection occur when using an app-override to unknown-tcp?

10137
Created On 12/10/20 04:12 AM - Last Modified 01/15/21 01:51 AM


Question


An application-override rule has been created with the application set to "unknown-tcp." Will threat inspection still occur on a session matching this rule?

Environment


  • Hardware-based Palo Alto Firewall
  • Pan-OS 8.1+, 9.0+, 9.1+, 10.0+
  • Application-override configured using the app-id "unknown-tcp"

Answer


No, if a session matches the application-override then layer7 inspection will halt, the session will be identified as "unknown-tcp", it will be offloaded, and no further content or threat inspection will occur.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBuaCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language