App-ID Cloud Engine

The App-ID Cloud Engine (ACE) is a new service that enables the firewall or Panorama to download App-IDs from the cloud for applications that do not have specific predefined App-IDs from the Palo Alto Networks content team. These are the applications that the firewall identifies as ssl, web-browsing, unknown-tcp, or unknown-udp traffic. Use ACE App-IDs in Security policy rules to gain visibility into and control those applications and use Policy Optimizer to add and manage applications in Security policy. You cannot use ACE App-IDs in any other types of policy rules. ACE:
  • Vastly increases the number of known App-IDs to identify and control applications. As ACE defines new App-IDs for applications, they become available on the firewall.
  • Speeds up the availability and delivery of new App-IDs to the firewall.
  • Speeds up and can automate the addition of applications to Security policy through the use of Application Filters in Security policy rules.
  • Dramatically increases visibility into applications that previously were identified as ssl, web-browsing, unknown-tcp, or unknown-udp.
ACE requires a SaaS Security Inline subscription. Each appliance that uses ACE must have a valid device certificate installed.
All hardware platforms that support PAN-OS 10.1 or later support ACE and all appliances on which you want to use ACE require PAN-OS 10.1 or later. Panorama cannot push and commit ACE-based polices or objects to firewalls that don’t have a SaaS Security Inline license installed or to firewalls that run an earlier version of PAN-OS than 10.1.
ACE is supported in the US, APAC, and EU GCP regions. The region is selected automatically based on your CDL region.
Verify that the firewall uses the correct Content Cloud FQDN (
Device
Setup
Content-ID
Content Cloud Setting
) for your region and change the FQDN if necessary:
  • US—
    hawkeye.services-edge.paltoaltonetworks.com
  • EU—
    eu.hawkeye.services-edge.paltoaltonetworks.com
  • APAC—
    apac.hawkeye.services-edge.paltoaltonetworks.com
ACE data, including traffic payloads, is sent to the servers in the selected region. If you specify a Content Cloud FQDN that is outside of your region (for example, if you are in the EU region but you specify the APAC region FQDN), you may break your country’s or your organization’s privacy and legal regulations.
Predefined content-delivered App-ID delivers new applications once per month and you need to analyze the new App-IDs before you install them to understand changes that they may make to Security policy rules. The monthly cadence and need for analysis slows down the adoption of new App-IDs in policy. Although Palo Alto Networks will continue to provide new App-IDs via monthly content updates that you need to review, ACE improves the adoption of new App-IDs by providing on-demand App-IDs for applications initially identified as any of the following four types:
  • ssl
    —Encrypted SSL traffic is by far the most common type of network traffic, with most experts claiming that it exceeds 90% of total traffic. If you don’t or can’t decrypt that traffic, the firewall often can only identify it as ssl instead of as the actual underlying application.
  • web-browsing
    —The firewall can’t specifically identify some unencrypted web-browsing traffic because there are so many applications that content-delivered App-ID can’t keep up with the ever-increasing amount.
  • unknown-tcp
    and
    unknown-udp
    —This traffic may be internal or custom applications or unknown external applications. It’s important to identify that traffic by its specific App-ID so that you can make intelligent access decisions and construct appropriate Security policy rules to control and inspect the traffic.
ACE provides specific identification of these applications, which enables you to understand them and control them appropriately in policy.
ACE App-IDs do not identify other types of public applications and do not identify private and custom applications. The ACE App-ID catalog does not contain predefined, content-provided App-IDs. Content-provided App-IDs still arrive monthly in content updates.
When the firewall encounters ssl, web-browsing, unknown-tcp, or unknown-udp traffic, the firewall sends the payload to ACE for analysis. If there is a matching App-ID in the ACE database, ACE returns the App-ID to the requesting firewall. If ACE has no matching App-ID for the traffic, ACE sends the payload to the Machine Learning (ML) engine. The ML engine analyzes the payload and develops the new App-ID in conjunction with the human content team and drops traffic that isn’t related to applications. When development finishes, the ML engine uploads new App-ID to the ACE database, and the requesting firewall (and any other firewalls) can download the App-ID and use it in Security policy.
Because it can take several minutes to retrieve an application from ACE for which it has an App-ID and longer if a new App-ID must be developed, cloud application detection is not inline on the firewall. The firewall does not wait for a verdict to process the application traffic. The firewall processes the traffic as ssl, web-browsing, unknown-tcp, or unknown-udp until it receives an App-ID from ACE and then continues to process the traffic in that way until you receive the new App-ID and use it in Security policy.
If you downgrade a firewall or Panorama after ACE has been enabled and ACE cloud App-IDs are still in use in Security policy rules or Application Groups, the downgrade fails. The fail reason lists the objects that you need to remove from the configuration in order to downgrade. Remove those objects from the configuration and
Commit
the configuration, and then the downgrade will succeed.

Recommended For You