App-ID is only available in Palo Alto Networks firewalls, which is a patented traffic classification system. APP-ID identifies an application irrespective of port, protocol, encryption or any other evasive tactic used by the application. Multiple classification mechanisms, such as application signatures, application protocol decoding etc. are used to accurately identify the nature of the application inside the network traffic.

How App-ID identifies applications are discussed below:

• First of all the traffic is matched against the security policy to check whether it is allowed or not.
• If the traffic is allowed, then it is verified against the signatures to identify the application, whether the application is used on the default port (application-default) or it is using some other non-standard port. If the security policy allows the traffic, the traffic is then checked for the threats. The traffic is further analyzed to identify the application at granular level.
• If any SSL/ SSH encryption is in use, and a Decryption policy rule is already existing, then the session will be decrypted and application signatures will be verified again on the decrypted traffic.
• The third step is applying decoders for known protocols to apply context-based signatures to detect if any other applications are tunnelling inside of the protocol. Whether the traffic conforms to the protocol specification is validated by decoders. 
• If there is any application, which is particularly evasive and cannot be checked and verified by advanced signature and protocol analysis, then heuristics or behavioural analysis are applied to determine the actual identity of that application.

After identifying the application properly, the security policy determines what to do with that application, for example—allow or block the application, or scan for threats, or inspect for unauthorized file transfer or data patterns, or shape using QoS.