application override VS service

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

application override VS service

L0 Member

I have new application.

I need to know what is the difference between application override policy and the security policy by using the service port number both are stateful inspection firewall at Layer-4?


Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose any, specify a port, or use application-default to permit use of the standards-based port for the application.


Application Override:
Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4.


my reference:




Cyber Elite
Cyber Elite

the service port let's you determine on which port TCP is allowed to connect


so if you set port 80, tcp is allowed to connect on pot 80, app-id can then determine if the session is web-browsing  or ftp os ssh or something else. because you allowed port 80, the session will be allowed through and app-id will simply identify the app


if you use application-default, app-id will use it's knowledge of the data flow to determine if the port it sees in the tcp session matches what it sees in the payload, so if a tcp session on port 80 comes in, that's fine, but after it sends payload and app-id determines that the session is actually LDAP, it will drop the connection as it is using a non-default port


in both the above cases, app-id will keep track of the flow and make sure the application is behaving as expected, applying the right heuristics etc to determine if there are any threats or application switches happening


application-override tells app-id and content-id (if used with a custom app) to not inspect a session at all and simply label it as the custom app. so if you set app override on port 80, that opens up port 80 to all underlying applications and threats

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization


I would suggest to stay away from overrides if you can. They bypass the threat engine so there could be potentially malicious traffic.



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!