* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Firewall](https://origin-researchcenter.paloaltonetworks.com/blog/category/firewall/)
* How Can You Classify ALL ...

# How Can You Classify ALL Apps, ALL the Time? (Hint: Custom App-IDs)

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F05%2Fcan-classify-apps-time-hint-custom-app-ids%2F)  
[](https://twitter.com/share?text=How+Can+You+Classify+ALL+Apps%2C+ALL+the+Time%3F+%28Hint%3A+Custom+App-IDs%29&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F05%2Fcan-classify-apps-time-hint-custom-app-ids%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F05%2Fcan-classify-apps-time-hint-custom-app-ids%2F&title=How+Can+You+Classify+ALL+Apps%2C+ALL+the+Time%3F+%28Hint%3A+Custom+App-IDs%29&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/can-classify-apps-time-hint-custom-app-ids/&ts=markdown)  
\[\](mailto:?subject=How Can You Classify ALL Apps, ALL the Time? (Hint: Custom App-IDs))  
Link copied  
By [Stephanie Johnson](https://www.paloaltonetworks.com/blog/author/stephanie-johnson/?ts=markdown "Posts by Stephanie Johnson")  
May 31, 2017  
3 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[App-ID](https://www.paloaltonetworks.com/blog/tag/app-id/?ts=markdown)  
[next-generation firewall](https://www.paloaltonetworks.com/blog/tag/next-generation-firewall/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)

To safely enable applications and ensure top performance in your business, you must classify all traffic, across all ports, all the time. The flexible architecture of [App-ID,](https://www.paloaltonetworks.com/technologies/app-id) a standard feature on our Next Generation Security Platform, allows you to easily create custom application signatures. These are useful to identify and control applications in the following circumstances:

* Applications proprietary to your organization and custom-developed for you.
* Topical or seasonal applications, such as applications that stream sporting events.
* Commercial applications not currently classified by App-ID. Typically, these applications are not in widespread use or are specific to a geographical region.

Custom App-IDs can also be used in App-ID override rules (to override a device's App-ID). An application override rule forcibly bypasses the App-ID process and sets a session to match a manually configured application name. For example, your corporate web server might be plainly identified as "web browsing," and you might want to override with a specific name so it's easily recognizable in the Application Command Center (ACC) and reports.

### Custom App-ID Samples and Scenarios

The following custom App-IDs were created to identify applications with topical interest.

* ++NCAA March Madness 2017++: Custom signatures were provided to identify the landing page on PCs and mobile apps, and to identify live video stream for PCs and mobile devices.
* ++Olympic Games 2016 in Rio de Janeiro:++ During the games, NBCUniversal streamed over 6,000 hours of live programming on its website and apps. A custom signature was created to identify streaming and on-demand video traffic from primary websites.

Activities like these can have a dramatic effect on network traffic, given employee interest and the sheer volume of video streamed over the corporate network. Such events are also frequently used by attackers to spread malware. By creating custom application signatures, organizations can whitelist ALL applications, including those not identified by default. This results in the safe enablement of applications and a reduced surface area for attacks. These and future custom App-IDs can be accessed on the [Palo Alto Networks Live Community](https://live.paloaltonetworks.com/).

### How to Create a Signature-Based Custom App-ID

You can create a signature-based custom App-ID by following these steps:

1. \*\*Capture and review application packets.\*\*Capture application packets so you can find unique characteristics about the application on which to base your custom application signature. One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture packets between the client and the server. Perform different actions in the application, such as uploading and downloading, so you can locate each type of session in the resulting packet captures (PCAPs). Because the firewall by default takes packet captures for all unknown traffic, if the firewall is between the client and the server, you can view the packet capture for unknown traffic directly from the traffic log.
2. \*\*Identify traffic patterns and define match criteria.\*\*Use the PCAPs to find patterns or values in the packet contexts you can use to create signatures that uniquely match the application traffic. For example, look for string patterns in HTTP response or request headers, URI paths or hostnames.
3. **Add the custom application.** You can add the custom application using the management interface. Validate that traffic matches the custom application as expected before finalizing the process.

Inbuilt and custom App-IDs can reduce the attack surface and build stronger defenses against successful cyber breaches for your organization. To learn more:

* Register for the ["**Let Application Controls Do Their Job and Prevent Breaches**"](http://go.paloaltonetworks.com/app-id060617) webinar on June 6, 2017
* Check out the PAN-OS 8.0 Administrator's Guide:
  * [Create a Custom Application](https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/create-a-custom-application#_33572)
  * [Manage Custom or Unknown Applications](https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-custom-or-unknown-applications)

*** ** * ** ***

## Related Blogs

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Four Reasons to Use App-ID on Your Next-Generation Firewall](https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/four-reasons-use-app-id-next-generation-firewall/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Offer Consistent Protection](https://origin-researchcenter.paloaltonetworks.com/blog/2018/05/10-things-test-future-ngfw-offer-consistent-protection/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Prevent Successful Ransomware Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-prevent-successful-ransomware-attacks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Incorporate Dynamic Lists and Third-Party Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-incorporate-dynamic-lists-third-party-threat-intelligence/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Integration Into Your Security Ecosystem](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-integration-security-ecosystem/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Automation](https://origin-researchcenter.paloaltonetworks.com/blog/2018/03/10-things-test-future-ngfw-automation/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language