PAN-OS ® New Features Guide
    : App-ID Cloud Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. App-ID Features
    5. App-ID Cloud Engine
    Download PDF

    PAN-OS ® New Features Guide

    App-ID Cloud Engine

    Table of Contents

    App-ID Cloud Engine

    App-ID Cloud Engine (ACE) works with SaaS Security Inline.
    App-ID Cloud Engine (ACE) is a new service that enables the firewall or Panorama to download App-IDs for unknown SaaS applications from the cloud. ACE converts unknown applications to known applications, vastly increases the number of known App-IDs, speeds up the availability and delivery of new App-IDs, and dramatically increases visibility into applications that previously did not have specific App-IDs.
    Using ACE requires a SaaS Security Inline subscription.
    Traditional, content-delivered App-ID only delivers new applications once per month and you need to analyze the new App-IDs before you install them to understand changes that they may make to Security policy rules. The monthly cadence and need for analysis slows down the adoption of new App-IDs in policy. ACE changes that scenario by providing on-demand App-IDs for SaaS applications identified as:
    • ssl
    • web-browsing
    • unknown-tcp
    • unknown-udp
    Cloud-delivered App-IDs do not identify other types of public applications and do not identify private and custom applications.
    Cloud-delivered App-ID provides specific identification of ssl, web-browsing, unknown-tcp, and unknown-udp applications, which enables you to understand them and control them appropriately in policy. The firewall handles cloud App-IDs differently than it handles content-delivered App-IDs. Cloud App-IDs do not force you to examine how the new App-IDs affect Security policy because the firewall uses them according to previously existing Security policy until you do one of the following:
    • Create Application Filters to automate adding downloaded cloud-delivered App-IDs to Security policy.
      Use Application Filters as often as possible to automate adding new cloud-delivered App-IDs to Security policy rules. When a new App-ID matches an Application Filter, it is automatically added to the filter. When you use an Application Filter in a Security policy rule, the rule automatically controls the application traffic for App-IDs that have been added to the filter. In other words, Application Filters are your “Easy Button” for securing cloud-delivered App-IDs automatically to gain maximum visibility and control with minimum effort.
    • Add the App-IDs to Application Groups.
    • Use Policy Optimizer to add the App-IDs to a cloned rule or to an existing rule, or to an existing Application Filter or Application Group. You can also use Policy Optimizer to create new Application Filters and Application Groups directly from within the Policy Optimizer tool.
    See App-ID Cloud Engine to learn how to:
    • Install the SaaS Security Inline license.
    • Connect to the ACE cloud and download ACE App-IDs.
    • Use ACE App-IDs in Security policy to gain visibility and control over applications that were previously identified only as ssl, web-browsing, unknown-tcp, and unknown-udp traffic.

    © 2024 Palo Alto Networks, Inc. All rights reserved.