A session is considered unclassified until a packet is received that fully matches a security rule.
It is not always possible to identify the application using DPI technology from the first packet of the session. For example, in a TCP session, the first few packets are used to establish the connection and do not contain any data. Until the analysis of the session is completed and the associated application is identified, the session may match a security rule that is not the same as the rule that is matched after the application is identified. A session becomes classified when a packet is received that can be fully matched to a security rule.
Until the session is classified, the Inspect action and the default security profile group are applied to it. After the session is classified, the action from the matching security rule is applied to it.
For unclassified sessions, you can configure the logging of session start and end events, as well as select a special security profile group.
Page top