Does the application configured in the Application Override still go through Layer7 processing?
5487
Created On 03/05/22 03:54 AM - Last Modified 06/07/23 18:38 PM
Question
Does the application configured in the Application Override still go through Layer7 processing?
Environment
- Palo Alto Firewalls
- PANOS 9.1, 10.1, 10.2
- Application ID
Answer
- Palo Alto Firewalls have built in application decoder for majority of known applications.
- If the application has a built in decoder, then it goes through the Layer 7 processing even with Application override configured.
- If the application does not have a built in decoder (such as custom application or a new application) then it does not go through the Layer 7 processing with or without App Override.
- When one creates application override, the default application identification is overriden to the configured name.
- When security policy is configured and an application override is enabled for the application, it will bypass the Layer 7 inspection and only use Layer3/Layer4 to identify the application.
- However If the application has existing decoder, the application will still go through Layer7 inspection.
Example: If App Override is configured for Oracle application, the oracle application packet will still be subjected to Layer 7 processing because it has built in application decoder.
Second Example
- If one is using a 3rd party scanner application, Without the application override, the packet would enter Appid queue and if after 4 packets, the firewall fails to identify the application, then it will be identified as unknown application, and labeled the traffic as unknown-UDP or TCP. There will be no further content inspection for unknown-UDP or TCP.
- With an application override rule in place, once the traffic is matched to the override rule, firewall will label this traffic to the configured application name (assuming custom App is configured).
- With an application override rule, ( example: application is named as custom application "scanner"), all the traffic identified by this rule will not enter the Appid queue and will be labelled as "scanner" in the traffic logs.
- Since there is no decoder associated with "scanner", Layer 7 processing is skipped for the traffic.