Issue:
When tunnel or proxied traffic sent through VOS as transit traffic(tunnel or proxy is not terminated on VOS), application identification may not work consistently.
VOS application identification engine uses following mechanisms to identify application:
- Destination IP and ports for some of well known SaaS apps. This mechanism is used for SaaS apps where SaaS provider publishes this information and made it available to access via API calls. Versa calls it as first packet based classification.
- DNS requests.
- SNI fields in SSL handshake
- Traffic patterns and application behavior.
- AI/ML models trained on data from similar applications.
- Deep Packet inspection of payload, if SSL decryption is enabled.
When devices behind VOS send traffic to destination via IPsec tunnel or to proxy such as Zscaler etc., VOS will see this as transit traffic since tunnel or proxy is not terminated on VOS. Multiple application traffic goes via this single tunnel/proxy session, VOS application identification engine may categorize this traffic based on first application traffic goes within this transit single session.
Solution:
When tunnel or proxy traffic sent through VOS as transit traffic and that needs to be not categorized based on above explained mechanisms, configure user defined application using source/destination tunnel/proxy IP. User defined applications overrides VOS in-built predefined application discovery.
Refer this document to create user defined application: