Hello, @vsys_remo. I update the resolution of my problem, effectively I had to create 2 custom app id signatures, with the necessary patterns and parameters so that the traffic is identified as the custom app. After confirming that the traffic is identified, continue generating the policies before the general flow of mail traffic. Just a question, I actually see the queries pass to the app customized by the new rules, but I also see traffic pass with an incomplete app, this is a problem? Is it traffic that is specified? I understand that after the three-way handshake, not enough packets pass through to identify the application, but is it still traffic to the tcp / 25 port that is being allowed? But functionally speaking, the pishing scenario is already productive, I greatly appreciate your collaboration and help. Best regards.
... View more