https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2711#M2020 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here is a snippet from the admin guide for using apps with PBF:</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">"The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to <SPAN class="GINGER_SOFTWARE_mark">subsequentPBF</SPAN> rules (that do not specify an application) or the virtual router’s forwarding table. <SPAN class="GINGER_SOFTWARE_mark">Allsubsequent</SPAN> sessions on that destination IP address and port for the same application <SPAN class="GINGER_SOFTWARE_mark">willmatch</SPAN> an application-specific rule. To ensure forwarding through PBF rules, application specific rules are not recommended."</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN class="GINGER_SOFTWARE_mark">which</SPAN> means the PBF rule will not match 100% of the time. PBF routing is determined by the first packet and most of the apps we <SPAN class="GINGER_SOFTWARE_mark">have are not identified</SPAN> with the first packet which implies this will take the normal routing route. After the app is identified, the subsequent sessions of the same app with same <SPAN class="GINGER_SOFTWARE_mark">src</SPAN> and <SPAN class="GINGER_SOFTWARE_mark">destn</SPAN> will match the PBF rule. Again, it is not recommended to use apps with PBF.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks</P></BODY></HTML> Thu, 04 Sep 2014 14:46:38 GMT HULK 2014-09-04T14:46:38Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2709#M2018 <HTML><HEAD></HEAD><BODY><P>I realize that PBF application based routing is limited to a subset of applications supported.</P><P></P><P>We're specifically looking to use PBF for Outlook-Web-Online and it's not in the list but many other things are, like MS-OCS-* and SMTP, etc...</P><P></P><P>Do we know why some applications are listed and why?</P><P></P><P>Is it possible to make a feature request to support this application?</P><P></P><P>Thoughts?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 04 Sep 2014 13:13:03 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2709#M2018 kk555 2014-09-04T13:13:03Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2710#M2019 <HTML><HEAD></HEAD><BODY><P>Hello Kk555,</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Not all Apps can be used for PBF, <SPAN style="font-size: 10pt; line-height: 1.5em;">because</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> the routing decision is made at </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"><SPAN class="GINGER_SOFTWARE_mark">sessions start</SPAN></SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">, you can only use Apps that can be discovered at session start.</SPAN></P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><STRONG>For your example:</STRONG></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN class="GINGER_SOFTWARE_mark">google</SPAN>-docs-base has a dependency of web-browsing &amp; SSL. <SPAN style="font-size: 10pt; line-height: 1.5em;">At session start the PAN will discover web-browsing or SSL and make a routing decision</SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Once this decision is made the PAN will keep it for this Session.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-size: 10pt; line-height: 1.5em;">This is why you can't select all Apps for PBF.</SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P>Please find below similar discussion thread:</P><P></P><P><A href="https://live.paloaltonetworks.com/message/29056">Re: PBF rule - applications</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1437"> Using Applications in PBF</A></P><P><A href="https://live.paloaltonetworks.com/message/4701">PBF based on Apps</A></P><P><A href="https://live.paloaltonetworks.com/message/7562">Re: APP limitation using PBF</A></P><P><A href="https://live.paloaltonetworks.com/message/29211">Re: Policy Based Forwarding for Application "Ping"</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 04 Sep 2014 14:45:22 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2710#M2019 HULK 2014-09-04T14:45:22Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2711#M2020 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here is a snippet from the admin guide for using apps with PBF:</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">"The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to <SPAN class="GINGER_SOFTWARE_mark">subsequentPBF</SPAN> rules (that do not specify an application) or the virtual router’s forwarding table. <SPAN class="GINGER_SOFTWARE_mark">Allsubsequent</SPAN> sessions on that destination IP address and port for the same application <SPAN class="GINGER_SOFTWARE_mark">willmatch</SPAN> an application-specific rule. To ensure forwarding through PBF rules, application specific rules are not recommended."</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN class="GINGER_SOFTWARE_mark">which</SPAN> means the PBF rule will not match 100% of the time. PBF routing is determined by the first packet and most of the apps we <SPAN class="GINGER_SOFTWARE_mark">have are not identified</SPAN> with the first packet which implies this will take the normal routing route. After the app is identified, the subsequent sessions of the same app with same <SPAN class="GINGER_SOFTWARE_mark">src</SPAN> and <SPAN class="GINGER_SOFTWARE_mark">destn</SPAN> will match the PBF rule. Again, it is not recommended to use apps with PBF.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks</P></BODY></HTML> Thu, 04 Sep 2014 14:46:38 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-applications/m-p/2711#M2020 HULK 2014-09-04T14:46:38Z