App-ID — the feature you are underusing
App-ID is the feature most engineers underuse.
- #engineer-series
- #paloaltonetworks
- #appid
- #networksecurity
- #cybersecurity
- #firewallengineer
By Mrugesh Patel, Senior Network Security Engineer
Originally posted on LinkedIn — Engineer Series · 2026-06-01
App-ID is the feature most engineers underuse.
And it’s also the feature that separates Palo Alto from everything else.
Fortinet has application identification. Checkpoint has it. But App-ID was built into the foundation of Palo Alto from day one — not bolted on later.
Here’s why it matters in practice:
Traditional firewall thinking:
→ “Allow port 443 outbound”
→ Reality: That’s Slack, Dropbox, BitTorrent over HTTPS, and unknown shadow IT — all flowing.
App-ID thinking:
→ “Allow web-browsing, slack, ms-teams to internet”
→ Reality: Anything else — including evasion attempts — gets blocked.
What junior engineers miss about App-ID:
✅ It works on encrypted traffic too (with decryption enabled)
✅ Custom App-IDs let you identify your own internal apps
✅ Application Filters group apps by risk and behavior
✅ Dependent apps matter — Office 365 needs many sub-apps
✅ “Application Override” exists, but use it sparingly
A practical first step:
➡️ Pick one rule using “service-https”
➡️ Look at the App-ID logs for that traffic
➡️ Replace with specific applications
➡️ Watch your visibility transform
Most teams have a port problem dressed up as a security policy.
What’s the most surprising application you’ve found hiding inside “allowed” traffic?
Found this useful?
Share it on LinkedIn — it tells me what to write about next, and helps other engineers find it.