https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592323#M3425 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41506">@jebwilson</a> ,</P> <P>&nbsp;</P> <P>The primary method PANW uses to identify applications is application signatures.&nbsp; PANW does not reveal the specific details for each signature to my knowledge.&nbsp; In some cases, protocol decoders and heuristics are used.&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/app-id-overview" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/app-id-overview</A></P> <P>&nbsp;</P> <P>Here is an example where App-ID has identified the traffic as ssl, but also uses the certificate to change it to a different app.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0</A></P> <P>&nbsp;</P> <P>Enabling decryption will allow you to identify a lot more apps.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 17 Jul 2024 16:09:13 GMT TomYoung 2024-07-17T16:09:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592313#M3424 <P>I need to understand exactly makes a TCP flow identified as the 'ms-update' application. <BR /><BR />I found the Objects -&gt; Applications -&gt; ms-update app description. It shows the ports used, and other dependencies.&nbsp;&nbsp;But this does not explain exactly what makes one flow identified as the 'ms-update' application. And a second flow identified as some other application. <BR /><BR />Details on this topic would be appreciated.&nbsp; Especially any info about specifically what parameters go into the decision to classify a flow as the 'ms-update' application.&nbsp; Thank you.</P> Wed, 17 Jul 2024 14:18:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592313#M3424 jebwilson 2024-07-17T14:18:23Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592323#M3425 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41506">@jebwilson</a> ,</P> <P>&nbsp;</P> <P>The primary method PANW uses to identify applications is application signatures.&nbsp; PANW does not reveal the specific details for each signature to my knowledge.&nbsp; In some cases, protocol decoders and heuristics are used.&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/app-id-overview" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/app-id-overview</A></P> <P>&nbsp;</P> <P>Here is an example where App-ID has identified the traffic as ssl, but also uses the certificate to change it to a different app.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0</A></P> <P>&nbsp;</P> <P>Enabling decryption will allow you to identify a lot more apps.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 17 Jul 2024 16:09:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592323#M3425 TomYoung 2024-07-17T16:09:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592329#M3426 <P>Thank you Tom.&nbsp; Really appreciate the clear information and the quick reply!</P> Wed, 17 Jul 2024 18:54:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-1-14-h2-how-does-palo-identify-if-traffic-belongs-to-an/m-p/592329#M3426 jebwilson 2024-07-17T18:54:44Z