https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246014#M70086 <P>Hello,</P><P>&nbsp;</P><P><SPAN>We've got QoS setup on a PA-220 that classes any traffic marked with the dropbox App-ID. This class is then restricted to 2mbps. However we find that not all traffic generated by the Dropbox Sync client is marked as dropbox. Sometimes it's just ssl, sometimes its unknown-udp. Essentially we just want to restrict any Dropbox traffic to 2mbps through the Internet.&nbsp;</SPAN></P><P><SPAN>How do we achieve this?</SPAN></P><P>&nbsp;</P><P><SPAN>We are using Dropbox as an installed application (not from web browser).</SPAN></P><P><SPAN>SSL Decryption is not enabled.</SPAN></P><P><SPAN>The concerned policy has 'dropbox' application enabled with application-default.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Jan 2019 01:54:15 GMT FarzanaMustafa 2019-01-15T01:54:15Z https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246014#M70086 <P>Hello,</P><P>&nbsp;</P><P><SPAN>We've got QoS setup on a PA-220 that classes any traffic marked with the dropbox App-ID. This class is then restricted to 2mbps. However we find that not all traffic generated by the Dropbox Sync client is marked as dropbox. Sometimes it's just ssl, sometimes its unknown-udp. Essentially we just want to restrict any Dropbox traffic to 2mbps through the Internet.&nbsp;</SPAN></P><P><SPAN>How do we achieve this?</SPAN></P><P>&nbsp;</P><P><SPAN>We are using Dropbox as an installed application (not from web browser).</SPAN></P><P><SPAN>SSL Decryption is not enabled.</SPAN></P><P><SPAN>The concerned policy has 'dropbox' application enabled with application-default.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Jan 2019 01:54:15 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246014#M70086 FarzanaMustafa 2019-01-15T01:54:15Z https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246102#M70104 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>&nbsp;wrote:<BR /><P>&nbsp;</P><P><SPAN>SSL Decryption is not enabled.</SPAN>&nbsp;</P><HR /></BLOCKQUOTE><P>When you aren't decrypting traffic app-id is doing the best it can with the information it can see, which isn't much. So by its nature this means that application identification can be hit or miss.&nbsp;</P> Tue, 15 Jan 2019 15:41:00 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246102#M70104 BPry 2019-01-15T15:41:00Z https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246196#M70128 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;I think the problem is that the Dropbox Sync client uses a pinned certificate, so it actually cannot be decrypted by the firewall. OP wants to&nbsp;</P><P>&nbsp;</P><P>You can apply QoS based on IP address, app, and service, but none of those are really distinguishable here. You may need to use something like MindMeld or otherwise create an External Dynamic List object and use that for the QoS rule.</P> Wed, 16 Jan 2019 01:06:49 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-issues-with-dropbox-traffic/m-p/246196#M70128 gwesson 2019-01-16T01:06:49Z