Although it is extremely unlikely, it is possible that
ACE App-IDs may need to be rolled back (reverted) because of bad
metadata or issues with applications. If ACE must revert App-IDs
and you used those App-IDs in a Security policy rule (directly or
in an Application Group), commit actions fail until those applications are
removed from Security policy rules and from objects.
If it becomes necessary to roll back App-IDs, ACE reverts all
of the most recently delivered cloud-based App-IDs, signatures,
metadata, categories, subcategories, and tags from the ACE catalog.
Removing the App-IDs from the catalog removes them from the firewall,
which is why the commit action fails when the App-IDs are used in
Security policy.
If you did not use the applications that ACE had to roll
back in Security policy, there is no impact to the configuration
and commit actions succeed.
When you attempt to commit a configuration after an ACE content
rollback, the commit failure message lists the applications that
ACE reverted, as in this example Validation Error:
To fix the issue, you must remove the listed applications from
Security policy rules, regardless of whether they were added directly
to a rule or were added using an Application Group. If the application
is used in an Application Group, remove it from the Application
Group.
In this example, content-qa-test-2 is
the reverted application, which is referenced in the Application
Group content-qa-test-apps. After you
remove content-qa-test-2 from the Application
Group, commit actions succeed.