06-06-2025 10:08 PM
Not sure why you're not stating the actual app-ids causing you issues, but yes this is something that can happen. Sometimes its simply that the firewall does not follow the "implicitly uses" aspect of the signature and other times it just improperly identifies the application early on in the session and then transitions to the proper signature as it processes more traffic. As an example, you'll see this with ms-rdp and cotp/t.120 pretty often.
I've never really gotten a satisfactory answer as to why this happens honestly. It's a simple enough thing to address from a policy aspect and once something is functional it's often difficult to get TAC to answer the why behind something and you're stuck looking for the answer yourself.
Since you aren't actually naming the app-ids that you're seeing and running into an issue with, I'm not sure if you're noticing an "implicitly uses" issue as noted above or something else. Since it's unlikely that you're talking about custom signatures (and even then it's just an application name) it could be helpful if you included the signatures that you're running into an issue with.
