Call a Specialist Today! 844-294-0778

Identifying any application on any port

Traffic classification is at the heart of any firewall, because your classifications form the basis of your security policies. Traditional firewalls classify traffic by port and protocol. At one point, this was a satisfactory mechanism for securing the perimeter. Not anymore.

If you still use a port-based firewall it is easy for applications to bypass it by:

Simply put, the traffic classification limitations of port-based firewalls make them unable to protect today's network. That's why we developed App-ID™, a patent-pending traffic classification system only available in Palo Alto Networks firewalls. App-ID™ instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to accurately identify applications.

App-ID Diagram

How App-ID classifies traffic

App-ID uses as many as four identification techniques to determine the exact identity of applications traversing your network—irrespective of port, protocol, evasive tactic, or SSL encryption. Identifying the application is the very first task performed by App-ID, providing you with the greatest amount of application knowledge and the most flexibility in terms of enabling applications in a secure manner.

As the foundational element of our enterprise security platform, App-ID provides visibility and control over applications that can evade detection by masquerading as legitimate traffic, hopping ports or sneaking through the firewall using encryption (SSL and SSH).

In the past, unapproved or non-work-related applications on your network left you with two choices—either block everything in the interest of data security, or enable everything in the interest of business. These choices left little room for compromise.

App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. When used in conjunction with User-ID™, you can see exactly who is using the application based on their identity, not just an IP address. Armed with this information, your security team can use positive security model rules to allow the applications that enable the business, inspecting or shaping them as needed and leveraging the implicit deny-all-else premise that a firewall is based upon to improve your security posture.

Firewall Traffic Classification: Applications, not Ports

Stateful inspection, the basis for most of today's firewalls, was created at a time when applications could be controlled using ports and source/destination IPs. The strict adherence to portbased classification and control methodology is the primary policy element, it is hard-coded into the foundation and cannot be turned off. This means that many of today's applications cannot be identified, much less controlled by the firewall and no amount of "after the fact" traffic classification by firewall helpers can correct the firewall port-based classification.

Palo Alto Networks recognized that applications had evolved to where they can easily slip through the firewall and chose to develop App-ID, an innovative firewall traffic classification technique that does not rely on any one single element like port or protocol to determine the result. Instead, App-ID uses multiple mechanisms to determine what the application is, first and foremost, and the application identity then becomes the basis for your firewall policy. App-ID has been created to be highly extensible and as applications continue to evolve, application detection mechanisms can be added to App-ID or updated as a means of keeping pace with the ever-changing application landscape.

Here's how App-ID identifies applications crossing your network:

As the applications are identified by App-ID's successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

Always on Traffic Classification - Always The First Action Taken Across All Ports

Classifying traffic with App-ID is the first action our firewalls take on traffic, so by default all App-IDs are always enabled. This means you don't need to enable a series of signatures to look for an application you think might be on your network, because App-ID never stops classifying all your traffic across every port - not just a subset of the traffic (e.g., HTTP).

All App-IDs constantly looks at all traffic such as:

App-ID continually monitors the state of an application to see if it changes midstream, provides updated information to your administrator in ACC, and applies the appropriate policy and logs the information. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default-deny all traffic, and then allow through only those applications that are within your policy. Everything else is blocked.

App-ID Traffic Classification Technology

Using as many as four different techniques, App-ID determines what the application is as soon as the traffic hits the firewall appliance, irrespective of port, protocol, encryption (SSL and SSH) or other evasive tactic employed. The number and order of identification mechanisms used to identify the application will vary depending on the application. The general flow for App-ID is as follows:

With App-ID as the foundational element our enterprise security platform, your security team can regain visibility into, and control over, the applications traversing the network.

App-ID: Dealing with Custom or Unknown Applications

On a weekly basis, an average of five new applications is added to App-ID, yet nearly every network will have cases where unknown application traffic is detected. There are typically three scenarios where unknown traffic will appear: a commercially available application that does not have an App-ID, an internal, custom application is in use or a threat.

Application Function Control
Application Function Control

Maximize productivity by safely enabling the application itself (Microsoft SharePoint) or individual functions.

An important point to highlight is that our firewall uses a positive enforcement model, which means that all traffic can be denied except those applications that are expressly allowed via policy. This means that unknown traffic can be easily blocked or tightly controlled merely by expressly allowing what is needed to run the business. Alternative offerings that are based on IPS (negative control) will allow unknown traffic to pass through without providing any semblance of visibility or control.

How App-ID Works: Identifying WebEx

When a user initiates a WebEx session, the initial connection is an SSL-based communication. With App-ID, the device sees the traffic and the signatures determine that it is using SSL. The decryption engine and protocol decoders are then initiated to decrypt the SSL and detect that it is HTTP traffic. Once the decoder has the HTTP stream, App-ID can apply contextual signatures and detect that the application in use is WebEx. WebEx is then displayed within ACC and can be controlled via a security policy.

If the your end-user were to initiate the WebEx Desktop Sharing feature, WebEx undergoes a "mode-shift" to where the session has been altered from a conferencing application to a remote access application. In this scenario, the characteristics of WebEx have changed and App-ID will detect the WebEx Desktop Sharing feature which is then displayed in ACC. At this stage, you will have learned more about the application usage, allowing you to exert policy control over the use of the WebEx Desktop Sharing feature separately from general WebEx use.

Application Identity: The Heart of Policy Control

Identifying the application is the first step in learning more about the traffic traversing your network. Learning what the application does, the ports it uses, its underlying technology, and its behavioral characteristics is the next step towards making a more informed decision about how to treat the application. Once a complete picture of usage is gained, you can apply policies with a range of responses that are more fine-grained than allow or deny. Examples include:

With App-ID as the foundational element of our firewalls, you can restore visibility and control over the applications traversing your network to the firewall, the most strategic security component in your network security infrastructure.

Application Function-Level Controls

To many customers, safe application enablement means striking an appropriate security policy balance by enabling individual application functionality while blocking other functions within the same application. Examples may include:

Using an application hierarchy that follows a container and supporting function model, App-ID makes it easy for you to choose which applications to allow, while blocking or controlling functions within the application. The graphic shows SharePoint as the container application, and the individual functions within.

Controlling Multiple Applications: Dynamic Filters and Groups

There are many cases where you may want to control larger groups of applications in bulk, as opposed to controlling them individually. The two mechanisms that address this policy requirement are dynamic filters and application groups.

Category and Subcategory

  • Business: Authentication services, database, ERP, general management, office programs, software updates, storage/ backup
  • General Internet: File sharing, Internet utilities (web-browsing, toolbars, etc)
  • Collaboration: Email, instant messaging, Internet conferencing, social networking, social business, VoIP/video, web posting
  • Media: Audio streaming, gaming, photo/video
  • Networking: Encrypted tunnel, infrastructure, IP protocol, proxy, remote access, routing

Application Behavioral Characteristics

  • Able to transfer files from one network to another
  • Used to propagate malware
  • Consumes 1 Mbps or more regularly through normal use.
  • Evades detection using a port or protocol for something other than its intended purpose with intent
  • Has been widely deployed
  • Application has had known vulnerabilities
  • Prone to misuse or is easily configured to expose more than intended
  • Tunnels other applications


Browse up-to-date application research and analysis at the Palo Alto Networks Application and Threat Research Center.

Underlying Application Technology

  • Client-server based
  • Browser-based
  • Peer-to-peer based
  • Network protocol

Expanding the List of Applications

The list of App-IDs is expanded weekly with 3-5 new applications added based on input from customers, partners, and market trends. When you find unidentified applications on your network, you can capture the traffic and then submit the information for App-ID development. Once a new App-ID is developed and tested, it is added to the list as part of the weekly content updates.

Download the Palo Alto Networks App-ID Datasheet (PDF).