What is App-ID?

Community Team Member

Sure you have heard of App-ID, but what is it? How does it work and how can you best use this amazing technology only available in Palo Alto Networks firewalls?



App-ID, a patented traffic classification system, determines what the application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the

application. It applies multiple classification mechanisms—application signatures, application protocol decoding, and heuristics—to your network traffic stream to accurately identify applications.



• Facilitates a more complete understanding of the business value and associated risk of the applications traversing the network.

• Enables creation and enforcement of safe application enablement policies.

• Brings application visibility and control back to the firewall, where it belongs.


Here's how App-ID identifies applications traversing your network:

  1. Traffic is matched against policy to check whether it is allowed on the network.
  2. Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics. The signature also determines if the application is being used on its default port or it is using a non-standard port. If the traffic is allowed by policy, the traffic is then scanned for threats and further analyzed for identifying the application more granularity.
  3. If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the session is decrypted and application signatures are applied again on the decrypted flow.
  4. Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP). Decoders validate that the traffic conforms to the protocol specification and provide support for NAT traversal and opening dynamic pinholes for applications such as SIP and FTP.
  5. For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.


When the application is identified, the policy check determines how to treat the application, for example— block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.


An important point to highlight is that our firewall uses a positive enforcement model, which means that all traffic can be denied except those applications that are expressly allowed via policy. This means that unknown traffic can be easily blocked or tightly controlled merely by expressly allowing what is needed to run the business. Alternative offerings that are based on IPS (negative control) will allow unknown traffic to pass through without providing any semblance of visibility or control.


Read the full Tech Brief here:



Thanks for reading!



p.s. Don't forget about Ignite coming up March 30!

Ignite 2015 - Why Attend

L1 Bithead

Thanks for sharing! from my experience, it seems that app-id is also able to determine some encrypted protocols even without ssl decryption enabled. examples i have seen are slideshare-upload and boxnet.

L1 Bithead

Hi Mark,


It is true that App-ID can detect many applications that take advantage of SSL encryption without decrypting the session.  There are parts of the communication (primarily on session setup) that take place in cleartext that we can take advantage of to determine the application.  Content filtering takes advantage of this as well.  For instance, the initial URL requested is in cleartext.  The SSL session setup contains useful information, such as the certificate CN,  that is in cleartext as well.

L0 Member

is App-ID an explicit tab in Paloalto?
where can I see the App-ID in Paloalto?

Ask Questions Get Answers Join the Live Community