If you enable App-ID Cloud Engine (ACE)
on a firewall, download ACE App-IDs to the firewall, and then use
those App-IDs in objects such as Application Filters and in Security
policy rules, then you need to understand what happens if the SaaS
Security Inline license expires or if you disable ACE.
Disabling ACE and the SaaS Security Inline license expiring both
affect downloaded ACE App-IDs, the catalog of ACE App-IDs, Security
policy rules that control ACE App-IDs, and objects that include
ACE App-IDs. The effect is the same unless otherwise noted:
ACE App-IDs remain on the firewall, but the firewall
stops enforcing ACE App-IDs in Security policy.
rules that control ACE App-IDs no longer control ACE App-IDs even
though they are visible in the rule. Traffic that was controlled
by ssl, web-browsing, unknown-tcp, or unknown-udp rules before ACE was
enabled on the firewall is controlled by those rules again until
you update and activate the SaaS Security Inline license and/or
re-enable ACE or change those rules.
Enforcement of Security policy rules based on ACE App-IDs
stops within 4-6 hours of the license expiring (based on a timer
that periodically checks license status).
Enforcement of Security
policy rules based on ACE App-IDs stops immediately after you commit
the disabling ACE on the firewall.
Disabling ACE stops
enforcing Security policy rules based on ACE App-IDs as soon as
you commit the change even if the SaaS Security Inline license is
still valid and active.
The catalog of ACE App-IDs remains on the firewall and on
Panorama but the cloud engine no longer updates the catalog.
The connection from the firewall to ACE no longer functions.
If you re-enable ACE or renew the SaaS Security Inline license,
it may take some time to download all of the catalog updates.
If the SaaS Security Inline license expires, the ACE service
stops working within 4-6 hours.
Panorama doesn’t require
a SaaS Security Inline license, so there is no license to expire
on Panorama. However, when the license expires on managed firewalls,
configuration pushes to those firewalls from Panorama fail if they
contain ACE configurations in Security policy or in Application Groups.
Objects such as Application Filters and Application Groups
are not changed, but any ACE App-IDs that you placed in those objects
are no longer enforced even though the ACE App-IDs are still visible.
If you are using SaaS Policy Recommendation, the firewall
can no longer pull SaaS policy recommendations, so the SaaS administrator
cannot push new policy recommendations to the firewall. Policy recommendations
that were downloaded before license expiration remain in the configuration
but they are not enforced (same behavior as Security policies configured
with ACE App-IDs when the license expires or ACE is disabled).