Maintain the Rulebase
Because applications are always evolving,
your application whitelist will need to evolve also. Each time you
make a change in what applications you sanction, you must make a
corresponding policy change. As you do this, instead of just adding
a new rule like you would do with a port-based policy, instead identify
and modify the rule that aligns with the business use case for the
application. Because the best practice rules leverage policy objects
for simplified administration, adding support for a new application
or removing an application from your whitelist typically means modifying
the corresponding application group or application filter accordingly.
Additionally,
installing new App-IDs included in a content release version can
sometimes cause a change in policy enforcement for applications
with new or modified App-IDs. Therefore, before installing a new
content release, review the policy impact for new App-IDs and stage
any necessary policy updates. Assess the treatment an application receives
both before and after the new content is installed. You can then
modify existing Security policy rules using the new App-IDs contained
in a downloaded content release (prior to installing the App-IDs).
This enables you to simultaneously update your security policy rules
and install new content, and allows for a seamless shift in policy
enforcement. Alternatively, you can choose to disable new App-IDs
when installing a new content release version; this enables protection
against the latest threats, while giving you the flexibility to
enable the new App-IDs after you've had the chance to prepare any
policy changes.
- Before installing a new content release version, review the new App-IDs to determine if there is policy impact.
- Disable new App-IDs introduced in a content release, in order to immediately benefit from protection against the latest threats while continuing to have the flexibility to later enable App-IDs after preparing necessary policy updates. You can disable all App-IDs introduced in a content release, set scheduled content updates to automatically disable new App-IDs, or disable App-IDs for specific applications.
- Tune security policy rules to account for App-ID changes included in a content releaseor to add new sanctioned applications to or remove applications from your application whitelist rules.
Related Documentation
Manage New App-IDs Introduced in Content Releases
Manage New App-IDs Introduced in Content Releases Installing new App-IDs included in a content release version can sometimes cause a change in policy enforcement for ...
Disable or Enable App-IDs
Disable or Enable App-IDs Disable new App-IDs included in a content release to immediately benefit from protection against the latest threats while continuing to have ...
Maintain the Data Center Best Practice Rulebase
As conditions in your data center change, update the Security policy rulebase accordingly. Modify rules to control new and modified applications, protect new servers and ...
Prepare Policy Updates for Pending App-IDs
Prepare Policy Updates for Pending App-IDs You can now stage seamless policy updates for new App-IDs. Release versions prior to PAN-OS 7.0 required you to ...
Review New App-ID Impact on Existing Policy Rules
Review New App-ID Impact on Existing Policy Rules Select Device Dynamic Updates . You can review the policy impact of new content release versions that ...
Review New App-IDs Since Last Content Version
Review New App-IDs Since Last Content Version Select Device Dynamic Updates and select Check Now to refresh the list of available content updates. Download the ...
Review New App-IDs
Review New App-IDs Review new App-ID signatures introduced in a Applications and/or Threats content update. For each new application signature introduced, you can preview the ...
App-ID
App-ID To safely enable applications on your network, the Palo Alto Networks next-generation firewalls provide both an application and web perspective—App-ID and URL Filtering—to protect ...