Application detectors

An application detector is a tool used in network analysis that

  • identifies commonly used applications on your network by analyzing traffic patterns,

  • provides customizable detection capabilities through different detector types, and

  • operates only when active to analyze application traffic.

Application detector types and characteristics

Application detectors identify commonly used applications on your network. Use the Detectors page (Policies > + Show more > Advanced > Applications) to view the detector list and customize detection capabilities.

Modify a detector or change its state (active or inactive) based on its type. The system uses only active detectors to analyze application traffic.

Note
Cisco-provided detectors may change with system and VDB updates. See the release notes for updates.
Note
For firepower application identification, we intentionally do not list the ports. The application's associate ports are not reported for any of Cisco's applications because most of the applications are port-agnostic. Our platform's detection capabilities can identify services running at any port in the network.

Cisco-provided internal detectors:

  • Internal detectors are a special category of detectors for client, web application, and application protocol traffic. Internal detectors are delivered with system updates and are always on.

If an application matches internal detectors for client-related activity and no specific client detector exists, it reports a generic client.

Cisco-provided client detectors:

  • Client detectors detect client traffic and are delivered via VDB or system update. These detectors are provided for import by Cisco Professional Services. You can activate and deactivate client detectors. You can export a client detector only if you import it.

Cisco-provided web application detectors:

  • Web application detectors detect web applications in HTTP traffic payloads and are delivered via VDB or system update. Web application detectors are always on.

Cisco-provided application protocol (port) detectors:

  • Port-based application protocol detectors use well-known ports to identify network traffic. They are delivered via VDB or system update, or are provided for import by Cisco Professional Services. You can activate and deactivate application protocol detectors, and view a detector definition to use it as the basis for a custom detector.

Cisco-provided application protocol (Firepower) detectors:

  • Firepower-based application protocol detectors analyze network traffic using Firepower application fingerprints and are delivered via VDB or system update. You can activate and deactivate application protocol detectors.

Custom application detectors:

  • Custom application detectors are pattern-based. They detect patterns in packets from client, web application, or application protocol traffic. You have full control over imported and custom detectors.