Because applications are always evolving, your application whitelist will need to evolve also. Each time you make a change in what applications you sanction, you must make a corresponding policy change. As you do this, instead of just adding a new rule like you would do with a port-based policy, instead identify and modify the rule that aligns with the business use case for the application. Because the best practice rules leverage policy objects for simplified administration, adding support for a new application or removing an application from your whitelist typically means modifying the corresponding application group or application filter accordingly.

Additionally, installing new App-IDs included in a content release version can sometimes cause a change in policy enforcement for applications with new or modified App-IDs. Therefore, before installing a new content release, review the policy impact for new App-IDs and stage any necessary policy updates. Assess the treatment an application receives both before and after the new content is installed. You can then modify existing Security policy rules using the new App-IDs contained in a downloaded content release (prior to installing the App-IDs). This enables you to simultaneously update your security policy rules and install new content, and allows for a seamless shift in policy enforcement. Alternatively, you can choose to disable new App-IDs when installing a new content release version; this enables protection against the latest threats, while giving you the flexibility to enable the new App-IDs after you've had the chance to prepare any policy changes.