Is there a way to identify what traffic is hitting a specific App-ID Override policy?
We have several poorly configured App-ID override policies I'm trying to clean up and consolidate but they override to the same custom application, and it is not obvious from the logs which app-id override policy is actually being hit.
1) Good policy
2) Bad policy
3) Bad policy
Policy 2-3 are still being hit but I'm not sure why as policy 1 should be catching everything. I've looked at the traffic logs for traffic matching the custom app-id and manually cross-referenced that with the source/destination/port for policy 1 and everything should match, but there is still incrementing hits on policies 2-3.
From the CLI it seems you can do a "show session all filter..." on Security, NAT, PBF, and QoS policies but of course not App-ID; and that wouldn't give me any historical data anyway.
You also can't seem to filter reports to the UUID of the app-id override policy...only security policy.
Any ideas?
Thanks!
... View more