In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.
To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.
Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake).
In most cases, the application will be recognized before receiving that amount of data.
If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."