@acc6d0b3610eec313831f7900fdbd235 wrote: In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application. When this type of application is seen inside the organization, there's a good chance this is benign traffic: maybe a homebrew backup or a scripted maintenance task. If these show up on sessions going out to, or coming in from the internet, they should be a reason for concern. https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052 In other words, "Incomplete" is not an application and that's why it is not going to be showed in the "Application" column when you create a security rule or QoS rule. My recommendation is that in this case, you create a security policy and QoS policy applying the "Solarwinds" app-id signture to it, then it may take care of this for you. Now if you don't want that traffic to go through the App-ID engine, I recommend that you create a Application Override Policy, so it will bypass the Application inspection. By doing that, you still can apply security profiles but the rule will be treated as stateful only. Hi Willian, In this case I'm positive that the traffic in question is benign, in fact, I'm trying to prioritize it. Sorry I don't undesrtand your suggestion of "create a security policy and QoS policy applying the "Solarwinds" app-id signture to it. I guess I can't think of how this could possibly work, since the firewall is not assigning an app tag in the first place. Never used app override, but from a quick peek, it looks as though you need to create a custom appID first, which brings me back to my question 2. Maybe the only way to do this is to forget the app, and use a service based rule?
... View more