Because applications are always evolving,
your application whitelist will need to evolve also. Each time you
make a change in what applications you sanction, you must make a
corresponding policy change. As you do this, instead of just adding
a new rule like you would do with a port-based policy, instead identify
and modify the rule that aligns with the business use case for the
application. Because the best practice rules leverage policy objects
for simplified administration, adding support for a new application
or removing an application from your whitelist typically means modifying
the corresponding application group or application filter accordingly.
installing new App-IDs included in a content release version can
sometimes cause a change in policy enforcement for applications
with new or modified App-IDs. Therefore, before installing a new
content release, review the policy impact for new App-IDs and stage
any necessary policy updates. Assess the treatment
an application receives both before and after the new content is installed.
You can then modify existing Security policy rules using the new
App-IDs contained in a downloaded content release (prior to installing
the App-IDs). This enables you to simultaneously update your security
policy rules and install new content, and allows for a seamless
shift in policy enforcement. Alternatively, you can choose to disable
new App-IDs when installing a new content release version; this enables
protection against the latest threats, while giving you the flexibility
to enable the new App-IDs after you've had the chance to prepare
any policy changes.
Before installing a new content release version, review the new App-IDs to
determine if there is policy impact.
Disable new App-IDs introduced
in a content release, in order to immediately benefit from protection against
the latest threats while continuing to have the flexibility to later
enable App-IDs after preparing necessary policy updates. You can
disable all App-IDs introduced in a content release, set scheduled
content updates to automatically disable new App-IDs, or disable
App-IDs for specific applications.