App-ID is used to identify applications on your network in the following way:

• TRAFFIC is compared to policy to see if it is authorised on the network.
• The application is then identified by applying signatures to approved traffic BASED on application traits and transaction characteristics that are unique to the application. The SIGNATURE also determines whether or not the application is running on its default port. If the traffic is allowed by policy, it is checked for threats and STUDIED further so that the application may be identified.
• If App-ID detects encryption (SSL or SSH) and a Decryption policy rule is in place, the session is decrypted and application signatures are applied again to the decrypted flow.
• Additional context-based signatures are applied to decoders for well-known protocols in order to detect other apps that may be tunnelling within the protocol (for example, Yahoo! Instant Messenger via HTTP). Decoders ensure that traffic follows protocol standards, and they make NAT traversal and dynamic pinhole opening easier for applications like SIP and FTP.
• Heuristics or behavioural analysis may be used to establish the identity of apps that are exceptionally evasive and cannot be identified by advanced signature and protocol analysis.

When an application is found, the policy check decides whether to block it or allow it to operate while screening for risks, inspecting for illegal file transfers and data patterns, or shaping it using QoS.