https://live.paloaltonetworks.com/t5/general-topics/packet-flow-sequence-and-application-override/m-p/246024#M70087 <P>The graph is a bit confusing, so that's where the issue is. App override traffic does indeed skip content inspection unless you're overriding it to a pre-defined app.</P><P>&nbsp;</P><P>Note that the diagram you referenced has "Content inspection setup" on the green Application Identification section, not actual content inspection. The "setup" is to do the tasks it lists:</P><P><FONT color="#339966">- Setup SP3 if security profile is specified</FONT></P><P><FONT color="#339966">- set session to discard if security rule action deny</FONT></P><P><FONT color="#339966">- set QoS class from QoS policy lookup</FONT></P><P>It still has to do those things, even for app overridden traffic.</P><P>&nbsp;</P><P>If you follow that box down to the next one ("Application is SSL and decryption policy match?"), the result is No, which moves us back to the pink/salmon FW Fastpath block.</P><P>&nbsp;</P><P>There, it has another yes/no box "Content inspection applicable?". When you do app override, the answer to that is No, which skips all of the SP3/CTD (blue) box and moves to packet forwarding at the bottom.</P> Tue, 15 Jan 2019 02:08:47 GMT gwesson 2019-01-15T02:08:47Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-sequence-and-application-override/m-p/245982#M70083 <P>Hello everyone,</P><P>I have a question regarding the "AppID override" ,</P><P>In this article "<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0" target="_blank" rel="nofollow noopener noreferrer">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0</A>" we can read the following:</P><P>"<BR />Special Note about Content and Threat inspection<BR />Application Override to a custom application will force the firewall to bypass Content and Threat inspection for the traffic that is matching the override rule. The exception to this is when you override to a pre-defined application that supports threat inspection.<SPAN>&nbsp;</SPAN><BR />"</P><P>However, in the PaloAlto Packet Flow Sequence (available :<SPAN>&nbsp;</SPAN><A href="http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309" target="_blank">http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309</A>) we can see this :</P><P><BR />When the application override policy is matched the only step skiped is [Pattern-based application identification]. The "Content Inspection (SP3/CTD)" is allways performed, regardless of the application override. So the Content profiles seem to be applyed.</P><P>So my question is the following: is something missing from the diagram or am I wrongly reading the graph ?</P><P>Many thanks,<SPAN>&nbsp;</SPAN><BR />Karim BENYELLOUL</P> Mon, 14 Jan 2019 21:20:35 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-sequence-and-application-override/m-p/245982#M70083 Karim.Benyelloul 2019-01-14T21:20:35Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-sequence-and-application-override/m-p/246024#M70087 <P>The graph is a bit confusing, so that's where the issue is. App override traffic does indeed skip content inspection unless you're overriding it to a pre-defined app.</P><P>&nbsp;</P><P>Note that the diagram you referenced has "Content inspection setup" on the green Application Identification section, not actual content inspection. The "setup" is to do the tasks it lists:</P><P><FONT color="#339966">- Setup SP3 if security profile is specified</FONT></P><P><FONT color="#339966">- set session to discard if security rule action deny</FONT></P><P><FONT color="#339966">- set QoS class from QoS policy lookup</FONT></P><P>It still has to do those things, even for app overridden traffic.</P><P>&nbsp;</P><P>If you follow that box down to the next one ("Application is SSL and decryption policy match?"), the result is No, which moves us back to the pink/salmon FW Fastpath block.</P><P>&nbsp;</P><P>There, it has another yes/no box "Content inspection applicable?". When you do app override, the answer to that is No, which skips all of the SP3/CTD (blue) box and moves to packet forwarding at the bottom.</P> Tue, 15 Jan 2019 02:08:47 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-sequence-and-application-override/m-p/246024#M70087 gwesson 2019-01-15T02:08:47Z