This article describes the case when traffic is blocked by unknown applications. It can be set to block if there is no application signature for the traffic type and the application control will block it.

Application control settings.

Policy for traffic with the above app control settings:

Below is the unknown application log message both from GUI and CLI:

date=2024-11-16 time=05:40:58 eventtime=1731692458347762641 tz="+1200" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=0 srcip=10.1.100.240 srccountry="Reserved" dstip=172.16.200.166 dstcountry="Reserved" srcport=59564 dstport=9600 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=17 service="udp/9600" direction="incoming" policyid=1 poluuid="08293d90-98b3-51ef-1a6c-f9ffc13775e2" policytype="policy" sessionid=936 applist="test" action="block" appcat="unknown" app="Unknown Application" incidentserialno=157286588 msg="unknown: Unknown Application"

The IPS engine needs to scan a certain amount of bytes to identify all known applications. It will not preemptively block sessions categorized as unknown until this threshold is reached, and no known application is matched.