10-26-2018 10:42 PM
What if we create creates a custom application containing Layer 7 signatures.
And after few days the PA send the Latest APP and Threat updates and we download those in the PA
What will happen if the update contains an application that matches the same traffic signatures as the custom application?
or
which thing is hit first custom app or application pushed from PA when both have same signatures?
My understanding is that Custom APP should have preference?
10-29-2018 06:29 AM
I found a KB article that speaks directly to your question.
It supports your understanding - Custom App-ID > predefined applications:
Custom Applications take precedence over predefined applications (including new Applications released in content updates) for matching traffic types when the traffic matches both a custom and local pattern. This is also true for VSYS specific custom applications (applications defined for individual VSYS).
Note: This action will take affect on the traffic immediately after a commit completes.
The Custom App will be matched without modifications to the security policy when a rule is defined with "application any". This occurs automatically even if the Custom Application is not used in a security policy or forced through the App Override when matching a rule with "application any", so long as the new application signature is defined correctly.
10-29-2018 06:29 AM
I found a KB article that speaks directly to your question.
It supports your understanding - Custom App-ID > predefined applications:
Custom Applications take precedence over predefined applications (including new Applications released in content updates) for matching traffic types when the traffic matches both a custom and local pattern. This is also true for VSYS specific custom applications (applications defined for individual VSYS).
Note: This action will take affect on the traffic immediately after a commit completes.
The Custom App will be matched without modifications to the security policy when a rule is defined with "application any". This occurs automatically even if the Custom Application is not used in a security policy or forced through the App Override when matching a rule with "application any", so long as the new application signature is defined correctly.
10-29-2018 06:53 AM
Many Thanks I was exactly looking for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
