Application Override policies bypass layer 7 processing and threat inspection and instead use less secure stateful layer 4 inspection. Application Override policies prevent the firewall from performing layer 7 application identification and layer 7 threat inspection and prevention; do not use Application Override unless you must. Instead, create a custom application or create a custom service timeout so that you maintain visibility into, control, and inspect the application in regular layer 7 Security policy rules.

Only use Application Override in the most highly trusted environments where you can apply the principle of least privilege strictly. Install endpoint protection on endpoints, install compensating protections on servers, and make the Application Override rule as restrictive as possible (only the necessary source, destination, users, applications, and services) since you have limited visibility into the traffic. If you must use Application Override and the traffic traverses multiple inspection points such as a data center firewall and then a perimeter firewall, apply Application Override consistently along the path.

There are two main use cases for Application Override:

Review your existing policy rulebase. If you have any Application Override rules for traffic other than SMB or SIP, convert the rule to an App-ID based rule so that you can decrypt and inspect the traffic at layer 7 and prevent threats.