Application Override Policy
Focus
Focus

Application Override Policy

Table of Contents

Application Override Policy

Stateful layer 4 inspection for SIP-ALG and SMB traffic that overrides application-based policy.
Application Override policies bypass layer 7 processing and threat inspection and instead use less secure stateful layer 4 inspection. Application Override policies prevent the firewall from performing layer 7 application identification and layer 7 threat inspection and prevention; do not use Application Override unless you must. Instead, create a custom application or create a custom service timeout so that you maintain visibility into, control, and inspect the application in regular layer 7 Security policy rules.
Only use Application Override in the most highly trusted environments where you can apply the principle of least privilege strictly. Install endpoint protection on endpoints, install compensating protections on servers, and make the Application Override rule as restrictive as possible (only the necessary source, destination, users, applications, and services) since you have limited visibility into the traffic. If you must use Application Override and the traffic traverses multiple inspection points such as a data center firewall and then a perimeter firewall, apply Application Override consistently along the path.
There are two main use cases for Application Override:
  • In Prisma Access, you can’t make application-level gateway (ALG) changes in the cloud and you can’t push them through Panorama, so if you need a SIP ALG, you may need to create an Application Override rule.
  • In environments where SMB traffic performance is critically low and Disable Server Response Inspection (DRSI) doesn’t improve performance enough, you may need to create an Application Override rule (firewalls process Application Override rules faster at the expense of security because they bypass layer 7 inspection).
Review your existing policy rulebase. If you have any Application Override rules for traffic other than SMB or SIP, convert the rule to an App-ID based rule so that you can decrypt and inspect the traffic at layer 7 and prevent threats.