https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270726#M74747 <P>Thanks for the reply.</P><P>&nbsp;</P><P>So just to confirm, threat content scanning will still be enabled for app-override policies using:</P><P>&nbsp;</P><P>1. pre-built applicaition</P><P>2. custom application with a pre-built parent app</P><P>&nbsp;</P><P>??</P> Tue, 18 Jun 2019 02:31:09 GMT Jonathan_Panes 2019-06-18T02:31:09Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270353#M74713 <P>Hi All,</P><P>&nbsp;</P><P>I got this question from the learning center for the PCNSE practice exam. Dont know if its allowed to post the screenshot here.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="app-override.PNG" style="width: 932px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20399i3A31F30B84B70C7E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="app-override.PNG" alt="app-override.PNG" /></span></P><P>&nbsp;</P><P>From my understanding of using the application override, the firewall stops any further content inspection. It was also stated on the admin guide:</P><P><EM>If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.</EM></P><P>&nbsp;</P><P>Does using a built-in application on an app-override policy allows the firewall to perform content and threat protection?</P><P>&nbsp;</P><P>Thanks and regards,</P><P>Jon</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Jun 2019 04:02:18 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270353#M74713 Jonathan_Panes 2019-06-17T04:02:18Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270470#M74716 <P>Hey Jon,</P><P>&nbsp;</P><P>Layer7 processing for an app will only stop when using a PBF rule if you override the app to a custom one i.e "MyCustomApp". Overriding the traffic to an existing app such as web-browsing in this example will keep the content inspection enabled.</P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P> Mon, 17 Jun 2019 08:37:21 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270470#M74716 LukeBullimore 2019-06-17T08:37:21Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270611#M74731 <P>Hello,</P><P>So if you use Application Override, Content-ID does not occur.</P><P>&nbsp;</P><UL><LI>For example, if you build a custom application that triggers on a host header <A href="http://www.mywebsite.com" target="_blank">www.mywebsite.com</A>, the<BR />packets are first identified as web-browsing and then are matched as your custom application (whose<BR />parent application is web-browsing). Because the parent application is web-browsing, the custom<BR />application is inspected at Layer-7 and scanned for content and vulnerabilities.</LI><LI><BR />If you define an application override, the firewall stops processing at Layer-4. The custom application<BR />name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.</LI></UL><P>&nbsp;</P><P>This is from the admin guide on page 580.</P><P>&nbsp;</P><P>Regards,</P> Mon, 17 Jun 2019 16:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270611#M74731 OtakarKlier 2019-06-17T16:58:39Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270612#M74732 <P>Hello,</P><P>Also as a side note. I have also looked at the practice exam and there do seem to be errors in the answers. Dont trust the practice questions, go by what the guides state.</P><P>&nbsp;</P><P>Regards,</P> Mon, 17 Jun 2019 16:59:57 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270612#M74732 OtakarKlier 2019-06-17T16:59:57Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270726#M74747 <P>Thanks for the reply.</P><P>&nbsp;</P><P>So just to confirm, threat content scanning will still be enabled for app-override policies using:</P><P>&nbsp;</P><P>1. pre-built applicaition</P><P>2. custom application with a pre-built parent app</P><P>&nbsp;</P><P>??</P> Tue, 18 Jun 2019 02:31:09 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270726#M74747 Jonathan_Panes 2019-06-18T02:31:09Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270727#M74748 <P>Thanks Luke.</P> Tue, 18 Jun 2019 02:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270727#M74748 Jonathan_Panes 2019-06-18T02:31:30Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270732#M74752 <P>I tried to lab this up.</P><P>&nbsp;</P><P>I created a custom app with for tcp/80 with the parent application as web-browsing. Enable scanning for file types, viruses, data patterns. Then added that application to an application override policy. I tried to download the eicar test file for http. The download proceeded.</P><P>&nbsp;</P><P>When i changed the application override to use the application web-browsing. The file got blocked.</P><P>I may need clarification on this line:&nbsp;<EM>&nbsp;Because the parent application is web-browsing, the custom</EM><BR /><EM>application is inspected at Layer-7 and scanned for content and vulnerabilities.</EM></P><P>&nbsp;</P> Tue, 18 Jun 2019 03:51:10 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270732#M74752 Jonathan_Panes 2019-06-18T03:51:10Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270800#M74757 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110025">@Jonathan_Panes</a>&nbsp;</P><P>&nbsp;</P><P>When you create a custom application, it will take precedence over the predefined applications. When you're using your custom app-id in the App override, the Layer7 will stop. When you put web-browsing in the App Override, Layer7 can continue, hence you could download the file.</P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P> Tue, 18 Jun 2019 08:13:39 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/270800#M74757 LukeBullimore 2019-06-18T08:13:39Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/290891#M77199 <P>Can anyone point me to using/applying an override to a predefined application, like web-browsing?</P><P>&nbsp;</P><P>All I find are documents on how to create a custom application, create an override for it. I want to create a rule that allows web-browsing AppID over a port other than 80 or 8080.</P><P>Adding Service TCP_12345 for example, will allow any app using port 12345. So that answer ain't valid.</P><P>&nbsp;</P><P>When creating an override on web-browsing with tcp port 12345. The policy(/ies) with web-browsing allowed will do nothing with the created override even though all the zones sources and targets are provided and match.</P> Wed, 02 Oct 2019 09:36:05 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/290891#M77199 mvdven 2019-10-02T09:36:05Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/465094#M102554 <P>I am looking at exactly the same question. My understanding is also that content inspection will happen when overriding to an existing AppID, however I could not find any PA article explaining that. &nbsp;They all say that inspection stops at Layer 4: can someone someone point me to the KB or admin guide confirming the behaviour? &nbsp;</P> Fri, 11 Feb 2022 06:23:12 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/465094#M102554 batd2 2022-02-11T06:23:12Z https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/465705#M102609 <P>Hello,</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRoCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRoCAK</A></P> <P>Scroll down:</P> <P>"<SPAN><EM>For most use cases, we recommend creating a simple custom application with as few attributes as possible, as the <STRONG>app override will bypass scanning or signature detection</STRONG></EM>."</SPAN></P> Mon, 14 Feb 2022 22:55:37 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-question/m-p/465705#M102609 OtakarKlier 2022-02-14T22:55:37Z