Limitations and Precautions for Applications and Application Groups

Hardware Requirements

The applications and application groups is supported by all models.

License Requirements

The applications and application groups is not license-controlled.

Limitations

• Currently, security policies, traffic policies, and policy-based routing can reference applications and application groups.
• Applications and application groups support IPv4 and IPv6, and user-defined application rules can be configured with IPv4 and IPv6 addresses.

Precautions

• User-Defined Applications have a higher priority than predefined Applications in the service awareness signature database, regardless of whether the database is updated.
• Identification of applications on the FW relies on the service awareness signature database of the system. Ensure that an service awareness signature database has been loaded to the FW before you use the application and application group. To identify new applications, you need to update the service awareness signature database.
• On actual networks, some applications are no longer used because they stop providing services. Therefore, there is no traffic related to these applications on the networks. To prevent useless applications from using space, the applications that stop providing services are in the obsolete state in the service awareness signature database (the obsolete applications have strikethroughs on the web UI). An application that has been in the obsolete state for one year will be deleted from the service awareness signature database. If the service awareness signature database is upgraded after an application is deleted, the security policy that references the deleted application is lost and the application cannot be viewed through original logs because the new service awareness signature database does not have the deleted application. Therefore, delete the configuration of the obsolete application in time.
• Some application subcategories have been abandoned but are reserved to make the version compatible with earlier ones. You are not advised to add user-defined applications to these abandoned subcategories.
• The application identification may function improperly if the forward and return packet paths are different.
• Third-party VPN software features short iteration period and fast traffic characteristics change. Such applications can evade traffic detection by switching communication channels. As a result, the application awareness signature database may not accurately match such applications of the latest version, and thus the device cannot implement precise traffic management and control.