Application Override Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Application Override Question

L1 Bithead

Hi All,

 

I got this question from the learning center for the PCNSE practice exam. Dont know if its allowed to post the screenshot here.

 

app-override.PNG

 

From my understanding of using the application override, the firewall stops any further content inspection. It was also stated on the admin guide:

If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.

 

Does using a built-in application on an app-override policy allows the firewall to perform content and threat protection?

 

Thanks and regards,

Jon

 

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

L5 Sessionator

Hey Jon,

 

Layer7 processing for an app will only stop when using a PBF rule if you override the app to a custom one i.e "MyCustomApp". Overriding the traffic to an existing app such as web-browsing in this example will keep the content inspection enabled.

 

Thanks,

Luke.

View solution in original post

Hello,

So if you use Application Override, Content-ID does not occur.

 

  • For example, if you build a custom application that triggers on a host header www.mywebsite.com, the
    packets are first identified as web-browsing and then are matched as your custom application (whose
    parent application is web-browsing). Because the parent application is web-browsing, the custom
    application is inspected at Layer-7 and scanned for content and vulnerabilities.

  • If you define an application override, the firewall stops processing at Layer-4. The custom application
    name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.

 

This is from the admin guide on page 580.

 

Regards,

View solution in original post

10 REPLIES 10

L5 Sessionator

Hey Jon,

 

Layer7 processing for an app will only stop when using a PBF rule if you override the app to a custom one i.e "MyCustomApp". Overriding the traffic to an existing app such as web-browsing in this example will keep the content inspection enabled.

 

Thanks,

Luke.

Hello,

So if you use Application Override, Content-ID does not occur.

 

  • For example, if you build a custom application that triggers on a host header www.mywebsite.com, the
    packets are first identified as web-browsing and then are matched as your custom application (whose
    parent application is web-browsing). Because the parent application is web-browsing, the custom
    application is inspected at Layer-7 and scanned for content and vulnerabilities.

  • If you define an application override, the firewall stops processing at Layer-4. The custom application
    name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.

 

This is from the admin guide on page 580.

 

Regards,

Hello,

Also as a side note. I have also looked at the practice exam and there do seem to be errors in the answers. Dont trust the practice questions, go by what the guides state.

 

Regards,

Thanks for the reply.

 

So just to confirm, threat content scanning will still be enabled for app-override policies using:

 

1. pre-built applicaition

2. custom application with a pre-built parent app

 

??

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!