Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.
If the default network service is enabled in the application control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked. This means that each allowed application runs on its default port.
config application list edit <name> set enforce-default-app-port enable config entries edit 1 set application 15896 set action pass next end next end
For example, when applying this application control sensor, FTP traffic (application 15896) with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.