However, if you specify an application in a PBF rule, the firewall
performs
App-ID caching. When an application passes
through the firewall for the first time, the firewall does not have
enough information to identify the application and therefore cannot
enforce the PBF rule. As more packets arrive, the firewall determines
the application and creates an entry in the App-ID cache and retains
this App-ID for the session.When a new session is created with the
same destination IP address, destination port, and protocol ID,
the firewall could identify the application as the same from the
initial session (based on the App-ID cache) and apply the PBF rule.
Therefore, a session that is not an exact match and is not the same
application, can be forwarded based on the PBF rule.