App-ID Cloud Engine (ACE) works with SaaS Security Inline.
App-ID Cloud Engine (ACE) is a new service
that enables the firewall or Panorama to download App-IDs for unknown
SaaS applications from the cloud. ACE converts unknown applications
to known applications, vastly increases the number of known App-IDs,
speeds up the availability and delivery of new App-IDs, and dramatically
increases visibility into applications that previously did not have
Traditional, content-delivered App-ID only delivers new applications
once per month and you need to analyze the new App-IDs before you
install them to understand changes that they may make to Security
policy rules. The monthly cadence and need for analysis slows down
the adoption of new App-IDs in policy. ACE changes that scenario
by providing on-demand App-IDs for SaaS applications identified
Cloud-delivered App-IDs do not identify other types of
public applications and do not identify private and custom applications.
Cloud-delivered App-ID provides specific identification of ssl,
web-browsing, unknown-tcp, and unknown-udp applications, which enables
you to understand them and control them appropriately in policy.
The firewall handles cloud App-IDs differently than it handles content-delivered
App-IDs. Cloud App-IDs do not force you to examine how the new App-IDs
affect Security policy because the firewall uses them according
to previously existing Security policy until you do one of the following:
Create Application Filters to
automate adding downloaded cloud-delivered App-IDs to Security policy.
Use Application Filters as often as possible
to automate adding new cloud-delivered App-IDs to Security policy
rules. When a new App-ID matches an Application Filter, it is automatically
added to the filter. When you use an Application Filter in a Security
policy rule, the rule automatically controls the application traffic
for App-IDs that have been added to the filter. In other words,
Application Filters are your “Easy Button” for securing cloud-delivered
App-IDs automatically to gain maximum visibility and control with
Use Policy Optimizer to add
the App-IDs to a cloned rule or to an existing rule, or to an existing
Application Filter or Application Group. You can also use Policy
Optimizer to create new Application Filters and Application Groups
directly from within the Policy Optimizer tool.