We are seeing the same issue. Specifically with ICMP custom apps. (breaking down the ICMP types). The traffic is app ID'ed properly but falls to a lower rule and does not get matched higher where it should. We do not notice this on a simple configuration on a PA500. But with a 5060, multiple vsys, etc we do. I wonder if you have gotten an answer to this. We are working with support to figure out the issue also. What setup do you have where you see this issue? Thanks update 2/15/13 - worked with support and a bug has been identified in 4.1.10. The custom application is identified properly but when it runs the the security policy the custom app id is part of a different vsys. the current vsys +1. So basically, packet comes in vsys10, identified as an app id in vsys10, then when it comes to policy match it is the app id of the same app (shared) but in vsys11 thus does not match. bug is being officially being documented and hopefully fixes soon.
... View more