: Applications and Threats Content Updates
Focus
Focus

Applications and Threats Content Updates

Table of Contents
End-of-Life (EoL)

Applications and Threats Content Updates

Applications and Threats content updates equip Palo Alto Networks next-gen firewalls with the very latest threat prevention and application identification technology.
Applications and Threats content updates deliver the very latest application and threat signatures to the firewall. The applications portion of the package includes new and modified App-IDs and does not require a license. The full Applications and Threats content package, which also includes new and modified threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and installs the latest application and threat signatures (based on your custom settings), it starts enforcing security policy based on the latest App-IDs and threat protection without any additional configuration.
New and modified threat signatures and modified App-IDs are released at least weekly and, often, more frequently. New App-IDs are released on the third Tuesday of every month.
In rare cases, publication of the update that contains new App-IDs may be delayed one or two days.
Because new App-IDs can change how the security policy enforces traffic, this more limited release of new App-IDs is intended to provide you with a predictable window in which you can prepare and update your security policy. Additionally, content updates are cumulative; this means that the latest content update always includes the application and threat signatures released in previous versions.
Because application and threat signatures are delivered in a single package—the same decoders that enable application signatures to identify applications also enable threat signatures to inspect traffic—you need to consider whether you want to deploy the signatures together or separately. How you choose to deploy content updates depends on your organization’s network security and application availability requirements. As a starting point, identify your organization as having one of the following postures (or perhaps both, depending on firewall location):
  • An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You’re primarily using the firewall for its threat prevention capabilities. Any changes to App-ID that impact how security policy enforces application traffic is secondary.
  • A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you’re using App-ID in security policy, any change a content releases introduces that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you can apply a mix of both approaches to meet the needs of the business. Review and consider Best Practices for Applications and Threats Content Updates to decide how you want to implement application and threat updates. Then:
While scheduling content updates is a one-time or infrequent task, after you’ve set the schedule, you’ll need to continue to Manage New and Modified App-IDs that are included in content releases, as these App-IDs can change how security policy is enforced.