Focus

Next-Generation Firewall

Monitor Impacted Rules and Applications

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Prevent Service Disruptions Using App-ID Update Safeguard

Use Application Objects in Policy

Monitor Impacted Rules and Applications

Use the ACC to isolate and audit traffic based on legacy App-ID classifications, helping administrators refine security policies during App-ID Safeguard transitions.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama) NGFW (Managed by PAN-OS or Panorama)	This is a core Network Security feature for NGFWs and Prisma Access; no prerequisites needed.

To manage transitions when using App-ID Safeguard, the ACC (Application Command Center) includes two dedicated widgets: Applications Allowed by Previous App-ID and Rules Allowing Apps based on Previous App-ID. These widgets function as a diagnostic lens, filtering out the noise of standard traffic to show you exactly where your policy might be overly permissive or relying on legacy classifications. This provides a specialized view within the ACC to initiate an audit of your rulebase.

Similar to the standard Application Usage widget, it displays a breakdown of applications and session counts. However, it specifically isolates sessions where the security rule match was triggered by the pre-transition App-ID.

Access the NGFW Application Command Center.
Create a dedicated ACC custom tab to monitor Previous App-IDs or select and edit an existing tab to add App-ID Safeguard widgets.
Add the Applications Allowed by Previous App-ID and Rules Allowing Apps Based on Previous App-ID to the custom (or previously existing) ACC tab and click OK. If you are creating a new Custom Tab, you must also provide a Tab Name.

If the App-ID Safeguard feature is disabled in your Content-ID settings, these widgets will remain empty.
Review the App-ID Safeguard widget to investigate the applications that are allowed by the Previous App-ID functionality.
- Applications Allowed by Previous App-ID
  - Generates a list of new and modified applications (App-IDs) that are allowed as a result of the Previous App-IDs that are allowed in the current security policy rule.
- Rules Allowing Apps Based on Previous App-ID
  - Displays the security policy rules that allowed the traffic to pass by leveraging new and modified applications (App-IDs).
  - Each Rule entry includes a Previous App-ID that is currently specified in the security policy rule.
  - The Previous App-ID corresponds to an Application that has been allowed due to the Previous App-IDs that are specified in the security policy rule.

Prevent Service Disruptions Using App-ID Update Safeguard

Use Application Objects in Policy

Next-Generation Firewall Docs

Monitor Impacted Rules and Applications

Next-Generation Firewall Docs

Monitor Impacted Rules and Applications

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner