https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236332#M273 <P>my understanding is that it will continue to scan for other apps in custom app if it does not detect any other app it will&nbsp;</P><P>stop scanning for any other app and session is offloaded</P> Sat, 20 Oct 2018 15:31:06 GMT MP18 2018-10-20T15:31:06Z https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236160#M272 <P>Hello All,</P><P>I have a PaloAlto PA-500 firewall on which I created my custom application based on custom signature. During the custom application creation on the Characterestics section I checked the "Continue scanning for other application" flag (refer to attached file -&gt; CustomApplication-Characteristics.png).</P><P>I've configured a policy that allow the traffic that match my custom application and all the remaining traffic goes to default interzone policy (thus it is blocked).</P><P>As you can see from attached screenshot (refer to ShowSessionIdCommand.png) the firewall correctly identify the traffic and match my custom application (called Brass_FAB-TCP-2505-CMP).</P><P>Anyhow, I noticed that, as soon as the firewall identifies the traffic as Brass_FAB-TCP-2505-CMP, the "layer 7 processing" switch to "completed" (as shown on ShowSessionIdCommand.png) and from this moment on, within this session, any traffic flowing through the firewall will pass without any inspection.</P><P>Can you please clarify if this is the normal behaviour for the equipment or not? If yes, what is the purpose of the "Continue scanning for other application" flag?</P><P>What is the way to have the firewall continuously inspecting/analyzing the traffic that match my custom application?</P><P>&nbsp;</P><P>Thanks all.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CustomApplication-Characteristics" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17234i3EBBF7CCE1908814/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="CustomApplication-Characteristics.png" alt="CustomApplication-Characteristics" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">CustomApplication-Characteristics</span></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShowSessionIdCommand" style="width: 594px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17231i6567D4EA57D26EF9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ShowSessionIdCommand.PNG" alt="ShowSessionIdCommand" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">ShowSessionIdCommand</span></span></P> Fri, 19 Oct 2018 13:03:43 GMT https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236160#M272 Emanuele 2018-10-19T13:03:43Z https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236332#M273 <P>my understanding is that it will continue to scan for other apps in custom app if it does not detect any other app it will&nbsp;</P><P>stop scanning for any other app and session is offloaded</P> Sat, 20 Oct 2018 15:31:06 GMT https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236332#M273 MP18 2018-10-20T15:31:06Z https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236437#M275 <P>Thanks Mike. Can you clarify what do you mean when you say "session is offloaded"?</P><P>In addition,do you know if there is any way to maintain traffic scanning active after custom app has been detected?</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;wrote:<BR /><P>my understanding is that it will continue to scan for other apps in custom app if it does not detect any other app it will&nbsp;</P><P>stop scanning for any other app and session is offloaded</P><HR /></BLOCKQUOTE><P>&nbsp;</P> Mon, 22 Oct 2018 07:38:24 GMT https://live.paloaltonetworks.com/t5/custom-signatures/application-with-custom-signature-amp-layer-7-processing/m-p/236437#M275 Emanuele 2018-10-22T07:38:24Z