App-Id: Identifying any application on any port

Traffic classification is at the heart of any firewall, because your classifications form the basis of your security policies. Traditional firewalls classify traffic by port and protocol. At one point, this was a satisfactory mechanism for securing the perimeter. Not anymore.

If you still use a port-based firewall it is easy for applications to bypass it by:

  • Hopping ports
  • Using SSL and SSH
  • Sneaking across port 80
  • Using non-standard ports

Simply put, the traffic classification limitations of port-based firewalls make them unable to protect today’s network. That’s why we developed App-ID™, a patent-pending traffic classification system only available in Palo Alto Networks firewalls. App-ID™ instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to accurately identify applications.

Learn more about the Application Visibility Feature.

Classify traffic based on applications, not ports

Here’s how App-ID identifies applications crossing your network:

  • Traffic is first classified based on the IP address and port.
  • Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics.
  • If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
  • Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
  • For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

As the applications are identified by App-ID’s successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorised file transfer and data patterns, or shape using QoS.

Always on traffic classification – always the first action taken across all ports.

Classifying traffic with App-ID is the first action our firewalls take on traffic, so by default all App-IDs are always enabled. This means you don’t need to enable a series of signatures to look for an application you think might be on your network, because App-ID never stops classifying all your traffic across every port – not just a subset of the traffic (e.g., HTTP).

All App-IDs constantly looks at all traffic such as:

  • Business applications
  • Consumer applications
  • Network protocols
  • Everything else

App-ID continually monitors the state of an application to see if it changes midstream, provides updated information to your administrator in ACC, and applies the appropriate policy and logs the information. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default-deny all traffic, and then allow through only those applications that are within your policy. Everything else is blocked.

All classification mechanisms, all application versions, all OS’s

App-ID operates at the services layer, monitoring how an application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent will be about equal to the many BitTorrent OS and client signatures that have to be enabled to try and control this application in other offerings.

Systematic management of unknown traffic

Every network has a small amount of unknown traffic. This traffic can be an internally developed application, a commercial application with no App-ID, or it can be a threat. App-ID categorises all your unknown traffic, which allows you to analyse it and make an informed policy decision. If the traffic is an internal application, a custom App-ID can be created to identify it. If the traffic is a commercial application with no App-ID, a PCAP can be taken and submitted for App-ID development. Finally, App-ID’s behavioral botnet report and logging tools can tell you if the traffic is a threat and take an appropriate action if it is.


Palo Alto Networks Firewall Overview

Palo Alto Networks Next Generation Firewall Overview

Palo Alto Networks Panorama

Panorama provides centralised policy and device management over a network of Palo Alto Networks™ next-generation firewalls.

Palo Alto Networks VM-Series Datasheet

The Palo Alto Networks™ VM-Series extends secure application enablement into virtualised environments while addressing key virtualisation security challenges: tracking security policies to virtual machine movement with dynamic address objects and integration with orchestration systems using a powerful XML management API.

Palo Alto Networks Wildfire

WildFire automatically protects your networks from new and customised malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends the threat prevention capabilities of the next-generation firewall to tackle some of the most challenging threats in the world today, and does so with full visibility and enforcement at up to 10Gbps.

Quotation Configuration

Your Name (required)

Company (required)

Your Email (required)

Telephone (required)

Number of Users (required)

Number of Connections

Size of each connection:
Connection 1:
Connection 2:
Connection 3:
Connection 4:
Connection 5:

Security Subscriptions

WildfireGlobal ProtectURL FilteringThreat Prevention

Standard Support & Maintenance:
Premium Support & Maintenance:

Additional Comments

Please leave this field empty.

Please leave this field empty.

Book Your Palo Alto Networks Demo:

Krome Technologies can provide you with an online or onsite demonstration specifically showing you the fundamentals of Palo Alto Networks solutions, these demonstrations can be tailored to show you whatever you want to review, our consultants can give you a brief overview demonstration or deep dive technically depending on your interest, requirement or specific requests.

Alternatively we can organise for an evaluation unit to be sent to you for an agreed period to run on your own network.

Please note that required fields are highlighted with an asterisks*

Your Name*

Company Name*

Job Title*

Telephone Number*

Email Address*

Mobile Number

Company Address:

Approximate amount of users*:

Additional information or demo specific requests, please indicate if you would like an online demo, or evaluation unit for example:

Once we have received the request, we will endeavor to contact you within 24hours to discuss your demo requirements and schedule a convenient time for your Palo Alto Networks demo or evaluation to take place.




Next-generation firewalls enforce network security policies based on applications, users, and content