App-ID Cloud Engine
Gain visibility into and specifically identify new cloud
applications with the App-ID Cloud Engine (ACE).
The App-ID Cloud Engine (ACE) is a service
that enables the firewall or Panorama to download App-IDs from the
cloud for applications that do not have specific predefined App-IDs
from the Palo Alto Networks content update team. ACE provides specific
App-IDs for applications that the firewall otherwise identifies
as ssl or web-browsing. Use ACE App-IDs in Security policy rules
to gain visibility into cloud applications and control them. Use
Policy Optimizer to add
and manage applications in Security policy. You cannot use ACE App-IDs
in any other types of policy rules. ACE:
Vastly increases the number of known App-IDs to identify
and control more cloud applications, and as ACE defines new App-IDs
for applications, the ACE App-IDs become available on the firewall.
Speeds up the availability and delivery of new App-IDs to
the firewall.
Speeds up and can automate the addition of applications to
Security policy through the use of Application Filters in Security
policy rules.
Dramatically increases visibility into applications that
previously were identified as ssl or web-browsing.
ACE requires a
SaaS Security Inline subscription. Each
appliance that uses ACE must have a valid device certificate installed.
All
hardware platforms that support PAN-OS 10.1 or later support ACE
and all appliances on which you want to use ACE require PAN-OS 10.1
or later. Panorama cannot push and commit ACE-based polices or objects
to firewalls that don’t have a SaaS Security Inline license installed
or to firewalls that run an earlier version of PAN-OS than 10.1.
ACE is supported in the US, APAC, and EU GCP regions. The region is selected automatically based
on your Strata Logging Service region.
Verify that
the firewall uses the correct Content Cloud FQDN () for
your region and change the FQDN if necessary:
US—hawkeye.services-edge.paloaltonetworks.com
EU—eu.hawkeye.services-edge.paloaltonetworks.com
APAC—apac.hawkeye.services-edge.paloaltonetworks.com
ACE
data, including traffic payloads, is sent to the servers in the
selected region. If you specify a Content Cloud FQDN that is outside
of your region (for example, if you are in the EU region but you
specify the APAC region FQDN), you may violate your country’s or
your organization’s privacy and legal regulations.
Predefined content-delivered App-ID provides new applications
once per month and you need to analyze the new App-IDs before you
install them to understand changes that they may make to Security
policy rules. The monthly cadence and need for analysis slows down
the adoption of new App-IDs in policy. Although Palo Alto Networks
will continue to provide new App-IDs via monthly content updates
that you need to review, ACE improves the adoption of new App-IDs
by providing on-demand App-IDs for applications initially identified
as any of the following two types:
ssl—Encrypted SSL traffic is by
far the most common type of network traffic, with most experts claiming
that it exceeds 90% of total traffic. If you don’t or can’t decrypt
that traffic, the firewall often can only identify it as ssl instead
of as the actual underlying application.
web-browsing—The firewall can’t specifically identify
some unencrypted (web-browsing) traffic because the monthly content-delivered
App-ID updates can’t keep up with all the new applications being
developed every day.
ACE provides specific identification of these applications, which
enables you to understand them and control them appropriately in
Security policy.
ACE App-IDs do not identify other types of public applications and
do not identify private and custom applications. The ACE App-ID
catalog does not contain predefined, content-provided App-IDs. Content-provided
App-IDs still arrive monthly in content updates.
When the firewall encounters ssl or web-browsing traffic, the
firewall sends the payload to ACE for analysis. If it matches an
App-ID in the ACE database, ACE returns the App-ID to the requesting
firewall. If ACE has no matching App-ID for the traffic, ACE sends
the payload to the Machine Learning (ML) engine. The ML engine analyzes
the payload and develops the new App-ID in conjunction with the
human content team. When development finishes, the ML engine uploads
new App-ID to the ACE database, and the requesting firewall (and
any other firewalls) can download the App-ID and use it in Security
policy.
Because it can take several minutes to retrieve a known
application from ACE and longer if a new App-ID must be developed,
cloud application detection is not inline on the firewall. The firewall
does not wait for a verdict to process the application traffic.
The firewall processes the traffic as ssl or web-browsing until
it receives an App-ID from ACE and you use it in Security policy.
If you downgrade a firewall or Panorama after ACE has been enabled
and ACE cloud App-IDs are still in use in Security policy rules
or Application Groups, the downgrade fails. The fail reason lists
the objects that you need to remove from the configuration in order
to downgrade. Remove those objects from the configuration and Commit the
configuration, and then the downgrade will succeed.