How to avoid internet traffic inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to avoid internet traffic inspection

L1 Bithead

Hi, how can I avoid internet traffic inspection from my PA. We already have a PA inspecting the internet traffic and we want to setup this particular PA for only inspecting the internal traffic.



Hi @arpitshrm84 ,

Your question is too broad and generic, are you able to provide some high-level diagram and brief explanation of your setup?


But in general, Palo Alto is applying (the so called) deep packet inspection, by specifying Security Profiles, for each traffic rule. Which means, that you can create traffic rule matching the traffic you don't want to inspect (source/destination addresses and ports) and just don't apply any Security Profiles for this traffic.

Hi, thank you very much for your response.
Let me explain a bit more in detail.

As of now, we have a branch office which is connected to the DC. So, the internet traffic is coming to the DC and going out through the Internet PA. now, we want to put another PA between branch office and DC which should inspect only the internal network ( since the internet traffic will be anyway inspected by the internet PA.

Current Setup: 

Branch Office —— DC—— Internet PA

Proposed Setup:

Branch Office — Internal PA— DC—— Internet PA

What is the best solution for this. Can application override achieve this?


Cyber Elite
Cyber Elite

By default Palo performs application identification.

You can add security profiles into security policy to enable IPS feature.

If you don't want IPS then don't add security profile into security policy.

If you want to see what threats pass by but don't want to block then create security profiles in alert mode to set traffic inspection into IDS mode instead of IPS.


Application override is generally bad practice as this will make Palo dumb router and it will only look first 4 layers and don't try to identify application at all.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi, many thanks for your response.

What about the throughput of the internal PA. If we put none in the security profile, will the PA process it as L4 or L7. With application override, it will be L4 for sure. We just want to see which PA is suitable for us considering the throughput required.

Cyber Elite
Cyber Elite

You can see throughput of different models by visiting following link


App-ID firewall throughput - security profile not set

Threat prevention throughput - security profiles configured


Security profile not set is layer 7 as firewall needs to identify application.

Application override is definitely layer 4 and you will loose all next generation firewall capabilities using it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi, many thanks for your help.

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!