Maintain the Rulebase

Because applications are always evolving, your application whitelist will need to evolve also. Each time you make a change in what applications you sanction, you must make a corresponding policy change. As you do this, instead of just adding a new rule like you would do with a port-based policy, instead identify and modify the rule that aligns with the business use case for the application. Because the best practice rules leverage policy objects for simplified administration, adding support for a new application or removing an application from your whitelist typically means modifying the corresponding application group or application filter accordingly.
Additionally, installing new App-IDs included in a content release version can sometimes cause a change in policy enforcement for applications with new or modified App-IDs. Therefore, before installing a new content release, review the policy impact for new App-IDs and stage any necessary policy updates. Assess the treatment an application receives both before and after the new content is installed. You can then modify existing Security policy rules using the new App-IDs contained in a downloaded content release (prior to installing the App-IDs). This enables you to simultaneously update your security policy rules and install new content, and allows for a seamless shift in policy enforcement. Alternatively, you can choose to disable new App-IDs when installing a new content release version; this enables protection against the latest threats, while giving you the flexibility to enable the new App-IDs after you've had the chance to prepare any policy changes.
  1. Before installing a new content release version, review the new App-IDs to determine if there is policy impact.
  2. Disable new App-IDs introduced in a content release, in order to immediately benefit from protection against the latest threats while continuing to have the flexibility to later enable App-IDs after preparing necessary policy updates. You can disable all App-IDs introduced in a content release, set scheduled content updates to automatically disable new App-IDs, or disable App-IDs for specific applications.
  3. Tune security policy rules to account for App-ID changes included in a content release or to add new sanctioned applications to or remove applications from your application whitelist rules.

Related Documentation