End-of-Life (EoL)

Prepare Policy Updates for Pending App-IDs

You can now stage seamless policy updates for new App-IDs. Release versions prior to PAN-OS 7.0 required you to install new App-IDs (as part of a content release) and then make necessary policy updates. This allowed for a period during which the newly-identified application traffic was not enforced, either by existing rules (that the traffic had matched to before being uniquely identified) or by rules that had yet to be created or modified to use the new App-ID.
Pending App-IDs can now be added to policy rules to prevent gaps in policy enforcement that could occur during the period between installing a content release and updating security policy. Pending App-IDs includes App-IDs that have been manually disabled, or App-IDs that are downloaded to the firewall but not installed. Pending App-IDs can be used to update policies both before and after installing a new content release. Though they can be added to policy rules, pending App-IDs are not enforced until the App-IDs are both installed and enabled on the firewall.
The names of App-IDs that have been manually disabled display as gray and italicized, to indicate the disabled status:
  • Disabled App-ID listed on the
    Objects
    Applications
    page:
    disabled-app.png
  • Disabled App-ID included in a security policy rule:
    disabled-app-policy.png
App-IDs that are included in a downloaded content release version might have an App-ID status of enabled, but App-IDs are not enforced until the corresponding content release version is installed.
  • To install the content release version now and then update policies:
    Do this to benefit from new threat signatures immediately, while you review new application signatures and update your policies.
    1. Select
      Device
      Dynamic Updates
      and
      Download
      the latest content release version.
    2. Review New App-ID Impact on Existing Policy Rules to assess the policy impact of new App-IDs.
    3. Install
      the latest content release version. Before the content release is installed, you are prompted to
      Disable new apps in content update
      . Select the check box and continue to install the content release. Threat signatures included in the content release will be installed and effective, while new or updated App-IDs are disabled.
    4. Select
      Policies
      and update
      Security
      ,
      QoS
      , and
      Policy Based Forwarding
      rules to match to and enforce the now uniquely identified application traffic, using the pending App-IDs.
    5. Select
      Objects
      Applications
      and select one or multiple disabled App-IDs and click
      Enable
      .
    6. Commit
      your changes to seamlessly update policy enforcement for new App-IDs.
  • Update policies now and then install the content release version.
    1. Select
      Device
      Dynamic Updates
      and
      Download
      the latest content release version.
    2. Review New App-ID Impact on Existing Policy Rules to assess the policy impact of new App-IDs.
    3. While reviewing the policy impact for new App-IDs, you can use the
      Policy Review based on candidate configuration
      to add a new App-ID to existing policy rules: add_icon.png . The new App-ID is added to the existing rules as a disabled App-ID.
    4. Continue to review the policy impact for all App-IDs included in the latest content release version by selecting App-IDs in the
      Applications
      drop-down. Add the new App-IDs to existing policies as needed. Click
      OK
      to save your changes.
    5. Install
      the latest content release version.
    6. Commit
      your changes to seamlessly update policy enforcement for new App-IDs.

Recommended For You