Application Override Policy
Stateful layer 4 inspection for SIP-ALG and SMB traffic
that overrides application-based policy.
Application Override policies bypass
layer 7 processing and threat inspection and instead use less secure
stateful layer 4 inspection. Application Override policies prevent
the firewall from performing layer 7 application identification
and layer 7 threat inspection and prevention; do not use Application Override
unless you must. Instead,
create a custom application or
create a
custom service timeout so
that you maintain visibility into, control, and inspect the application
in regular layer 7 Security policy rules.
Only use Application Override in the most highly
trusted environments where you can apply the principle of least
privilege strictly. Install endpoint protection on endpoints, install
compensating protections on servers, and make the Application Override
rule as restrictive as possible (only the necessary source, destination,
users, applications, and services) since you have limited visibility
into the traffic. If you must use Application Override and the traffic
traverses multiple inspection points such as a data center firewall
and then a perimeter firewall, apply Application Override consistently
along the path.
There are two main use cases for Application Override:
In Prisma Access, you can’t make application-level gateway
(ALG) changes in the cloud and you can’t push them through Panorama,
so if you need a SIP ALG, you may need to create an Application
Override rule.
In environments where SMB traffic performance is critically
low and
Disable Server Response Inspection
(DRSI) doesn’t improve performance enough, you may need to
create an Application Override rule (firewalls process Application
Override rules faster at the expense of security because they bypass
layer 7 inspection).
Review your existing policy rulebase. If you have any Application
Override rules for traffic other than SMB or SIP, convert the rule
to an App-ID based rule so that you can decrypt and inspect the
traffic at layer 7 and prevent threats.