Application Enrichment
Application Enrichment adds layer-7 context to flow records by leveraging the deep packet inspection (DPI) and application classification engines built into your network devices. Rather than seeing traffic as anonymous port/protocol pairs, NFO can report on named applications — from business tools like Salesforce and Office 365 to potential threats like BitTorrent or unauthorized remote access tools.
Each supported vendor exports application data differently — via proprietary NetFlow fields, IPFIX extensions, or dedicated telemetry streams. Choose the guide below that matches your device.
How It Works
Unlike identity or threat enrichment, application data is classified and tagged on the device itself before export. NFO receives the application name as part of the flow record and maps it to the enriched field without requiring additional lookup infrastructure.
- Device Classification: The firewall or router inspects traffic using its DPI engine (e.g., Cisco NBAR2, Palo Alto App-ID) and tags each flow with an application name.
- Flow Export: The device exports flow records — including the application field — to NFO via NetFlow v9 or IPFIX.
- Enrichment: NFO maps the vendor-specific application field to a normalized
applicationNamefield appended to every matching flow record. - Reporting: Enriched flows are available for analysis, alerting, and forwarding to your SIEM.
How NFO Resolves Application Names
Once application data arrives in a flow record, the Network Conversations Module applies a multi-step resolution pipeline to determine the final app_name reported in NFO output. This process normalizes application data across all supported vendors into a consistent field regardless of how each device exports it.
Resolution Priority Order
NFO evaluates application data in the following priority order, stopping as soon as a result is found:
| Priority | Source | Notes |
|---|---|---|
| 1 | Custom applications list | User-defined ip/port/protocol → app_name mapping. Most authoritative — overrides everything, including device-reported names. Ignore list is never applied to custom matches. |
| 2 | app_name direct in flow | Device-reported name carried directly in the flow record. Rare, but treated as authoritative. Subject to ignore list. |
| 3 | Applications override list | Maps app_id → app_name. Applied when a flow carries an app_id but no app_name. Skips the App ID catalog lookup below. |
| 4 | App ID catalog | Auto-built from NetFlow Options (app_id type 95, app_name type 96, app_desc type 94). Used as fallback when none of the above produce a result. Subject to ignore list. |
| 5 | Application names to be ignored | Suppresses device-reported junk values (e.g. unknown, incomplete, not-applicable) from NFO output. Not applied to Custom applications list matches. |
Configuring the Lists
All four lists are configured in the Network Conversations Module parameter table:
- Custom applications list — maps ip/port/protocol to app_name/app_desc. Evaluated first for all flows.
- Applications override list — maps app_id to app_name/app_desc. Applied when no custom match was found.
- App ID catalog (read-only) — auto-built from NetFlow Options. Resolves names for flows carrying an app_id.
- Application names to be ignored — suppresses device-reported names that carry no useful information.
For parameter details and configuration steps, see Network Conversations Module.
Supported Devices
Configuration varies by vendor and platform. Choose the guide below that matches your environment:
Cisco AVC
Devices: ASR1k, ISR-G2 Uses Easy Performance Monitor (ezPM) to export NBAR2 application names, Application Response Time (ART), and URL data via NetFlow.
Palo Alto
Devices: PA-Series, VM-Series NGFW Uses PAN-OS-specific NetFlow fields to export App-ID and User-ID. Identifies layer-7 applications by name including SSL-encrypted traffic.
Fortinet
Devices: FortiGate firewalls Uses FortiOS NetFlow templates to export application names. DPI-based classification covers thousands of applications across encrypted and unencrypted traffic.
SonicWall
Devices: TZ, NSa, NSsp series Uses IPFIX with extensions to export application name and category. DPI engine identifies applications across SSL traffic without requiring certificate inspection setup.
Next Steps
Select your device vendor above to begin configuration. If you have multiple vendor devices in your environment, you can configure application enrichment for each independently — NFO normalizes the application field across all sources into a consistent format for unified reporting.