App-ID Issues with Dropbox traffic

L4 Transporter

App-ID Issues with Dropbox traffic



We've got QoS setup on a PA-220 that classes any traffic marked with the dropbox App-ID. This class is then restricted to 2mbps. However we find that not all traffic generated by the Dropbox Sync client is marked as dropbox. Sometimes it's just ssl, sometimes its unknown-udp. Essentially we just want to restrict any Dropbox traffic to 2mbps through the Internet. 

How do we achieve this?


We are using Dropbox as an installed application (not from web browser).

SSL Decryption is not enabled.

The concerned policy has 'dropbox' application enabled with application-default.



L7 Applicator

Re: App-ID Issues with Dropbox traffic

@FarzanaMustafa wrote:


SSL Decryption is not enabled. 

When you aren't decrypting traffic app-id is doing the best it can with the information it can see, which isn't much. So by its nature this means that application identification can be hit or miss. 

L7 Applicator

Re: App-ID Issues with Dropbox traffic

@BPry I think the problem is that the Dropbox Sync client uses a pinned certificate, so it actually cannot be decrypted by the firewall. OP wants to 


You can apply QoS based on IP address, app, and service, but none of those are really distinguishable here. You may need to use something like MindMeld or otherwise create an External Dynamic List object and use that for the QoS rule.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!