Palo Alto Networks Security policies typically rely on the specific state of App-ID™ signatures at the time of configuration. When Palo Alto Networks makes content updates that modify existing App-IDs or introduce new ones, traffic that was previously allowed might be unintentionally blocked, or otherwise produce unexpected behavior, because your security rules do not yet recognize the new signature definition. This potential for disruption can delay the adoption of new threat protection content as well as introduce additional processes.

You can now enable App-ID Update Safeguard through the NGFW or Panorama® to maintain policy intent during these updates. With this feature enabled, the firewall references a new Previous App-ID attribute to determine enforcement. If traffic matches a new or modified App-ID that is not explicitly defined in your policy, the firewall checks its previous identity. If, for example, the previous App-ID was allowed, the traffic remains allowed, ensuring business continuity while you review the changes.

When App-ID Update Safeguard is enabled, the NGFW logs the traffic using the new or updated App-ID to provide visibility into application changes without impacting operations. This feature is disabled by default to ensure you retain full control over when to automate this transition logic.