Because applications are always evolving,
your application whitelist will need to evolve also. Each time you
make a change in what applications you sanction, you must make a
corresponding policy change. As you do this, instead of just adding
a new rule like you would do with a port-based policy, instead identify
and modify the rule that aligns with the business use case for the
application. Because the best practice rules leverage policy objects
for simplified administration, adding support for a new application
or removing an application from your whitelist typically means modifying
the corresponding application group or application filter accordingly.
installing new App-IDs included in a content release version can
sometimes cause a change in policy enforcement for applications
with new or modified App-IDs. Therefore, before installing a new
content release, review the policy impact for new App-IDs and stage
any necessary policy updates. Assess the treatment an application receives
both before and after the new content is installed. You can then
modify existing Security policy rules using the new App-IDs contained
in a downloaded content release (prior to installing the App-IDs).
This enables you to simultaneously update your security policy rules
and install new content, and allows for a seamless shift in policy
enforcement. Alternatively, you can choose to disable new App-IDs
when installing a new content release version; this enables protection
against the latest threats, while giving you the flexibility to
enable the new App-IDs after you've had the chance to prepare any
Before installing a new content release version, review the new App-IDs to determine if
there is policy impact.
Disable new App-IDs introduced in a content
release, in order to immediately benefit from protection against
the latest threats while continuing to have the flexibility to later
enable App-IDs after preparing necessary policy updates. You can
disable all App-IDs introduced in a content release, set scheduled
content updates to automatically disable new App-IDs, or disable
App-IDs for specific applications.