Although it is extremely unlikely, it is possible that ACE App-IDs may need to be rolled back (reverted) because of bad metadata or issues with applications. If ACE must revert App-IDs and you used those App-IDs in a Security policy rule (directly or in an Application Group), commit actions fail until those applications are removed from Security policy rules and from objects.

If it becomes necessary to roll back App-IDs, ACE reverts all of the most recently delivered cloud-based App-IDs, signatures, metadata, categories, subcategories, and tags from the ACE catalog. Removing the App-IDs from the catalog removes them from the firewall, which is why the commit action fails when the App-IDs are used in Security policy.

When you attempt to commit a configuration after an ACE content rollback, the commit failure message lists the applications that ACE reverted, as in this example Validation Error:

To fix the issue, you must remove the listed applications from Security policy rules, regardless of whether they were added directly to a rule or were added using an Application Group. If the application is used in an Application Group, remove it from the Application Group.

In this example, content-qa-test-2 is the reverted application, which is referenced in the Application Group content-qa-test-apps. After you remove content-qa-test-2 from the Application Group, commit actions succeed.