Palo Alto How and When APP-ID Works

The first TCP Handshake will be allowed if you are using destination TCP/UDP port-based rules with APP-ID. The Palo will identify the traffic and allow or block it based on the policies. So if you look on the server-side, you will see connections established and may wonder why they are there.

The first trip through the policy looks for a rule that will enable the session to start-up and data to flow so that we can identify the application. This will make sense after you understand the Flow Logic. The Palo determines the application by reading the packet’s payload; no assumptions are made based on ports. Blocking ports 80 and 443 is the only method to prevent the setup from finishing if those are the ports being used.

Remember that for the Palo to identify the app, it must wait for the handshake to complete. The APP-ID is not the same as the port number.