Impact of License Expiration or Disabling ACE

If you enable App-ID Cloud Engine (ACE) on a firewall, download ACE App-IDs to the firewall, and then use those App-IDs in objects such as Application Filters and in Security policy rules, then you need to understand what happens if the SaaS Security Inline license expires or if you disable ACE. Disabling ACE and the SaaS Security Inline license expiring both affect downloaded ACE App-IDs, the catalog of ACE App-IDs, Security policy rules that control ACE App-IDs, and objects that include ACE App-IDs. The effect is the same unless otherwise noted:
  • ACE App-IDs remain on the firewall, but the firewall stops enforcing ACE App-IDs in Security policy.
    Security policy rules that control ACE App-IDs no longer control ACE App-IDs even though they are visible in the rule. Traffic that was controlled by ssl, web-browsing, unknown-tcp, or unknown-udp rules before ACE was enabled on the firewall is controlled by those rules again until you update and activate the SaaS Security Inline license and/or re-enable ACE or change those rules.
  • Enforcement of Security policy rules based on ACE App-IDs stops within 4-6 hours of the license expiring (based on a timer that periodically checks license status).
    Enforcement of Security policy rules based on ACE App-IDs stops immediately after you commit the disabling ACE on the firewall.
    Disabling ACE stops enforcing Security policy rules based on ACE App-IDs as soon as you commit the change even if the SaaS Security Inline license is still valid and active.
  • The catalog of ACE App-IDs remains on the firewall and on Panorama but the cloud engine no longer updates the catalog.
  • The connection from the firewall to ACE no longer functions. If you re-enable ACE or renew the SaaS Security Inline license, it may take some time to download all of the catalog updates.
  • If the SaaS Security Inline license expires, the ACE service stops working within 4-6 hours.
    Panorama doesn’t require a SaaS Security Inline license, so there is no license to expire on Panorama. However, when the license expires on managed firewalls, configuration pushes to those firewalls from Panorama fail if they contain ACE configurations in Security policy or in Application Groups.
  • Objects such as Application Filters and Application Groups are not changed, but any ACE App-IDs that you placed in those objects are no longer enforced even though the ACE App-IDs are still visible.
  • If you are using SaaS Policy Recommendation, the firewall can no longer pull SaaS policy recommendations, so the SaaS administrator cannot push new policy recommendations to the firewall. Policy recommendations that were downloaded before license expiration remain in the configuration but they are not enforced (same behavior as Security policies configured with ACE App-IDs when the license expires or ACE is disabled).

Recommended For You