The Pre-ID default policy (pre-id-default-policy) denies the flow before performing application identification (AppID) when there are no potential policies to permit the flow. When the device receives the first packet of a traffic flow, it performs a basic 5-tuple matching and checks the defined potential policies to determine how to treat the packet. If all potential policies have action as "deny", and the default policy action is also set to "deny", then the device denies the traffic and does not perform application identification. If any policy has action other than "deny", then the device performs deep packet inspection (DPI) to identify the application.The device checks for potential policies on both zone context and global context.