Prepare Policy Updates for Pending App-IDs

You can now stage seamless policy updates for new App-IDs. Release versions prior to PAN-OS 7.0 required you to install new App-IDs (as part of a content release) and then make necessary policy updates. This allowed for a period during which the newly-identified application traffic was not enforced, either by existing rules (that the traffic had matched to before being uniquely identified) or by rules that had yet to be created or modified to use the new App-ID.
Pending App-IDs can now be added to policy rules to prevent gaps in policy enforcement that could occur during the period between installing a content release and updating security policy. Pending App-IDs includes App-IDs that have been manually disabled, or App-IDs that are downloaded to the firewall but not installed. Pending App-IDs can be used to update policies both before and after installing a new content release. Though they can be added to policy rules, pending App-IDs are not enforced until the App-IDs are both installed and enabled on the firewall.
The names of App-IDs that have been manually disabled display as gray and italicized, to indicate the disabled status:
  • Disabled App-ID listed on the ObjectsApplications page:
    disabled-app.png
  • Disabled App-ID included in a security policy rule:
    disabled-app-policy.png
App-IDs that are included in a downloaded content release version might have an App-ID status of enabled, but App-IDs are not enforced until the corresponding content release version is installed.
  • To install the content release version now and then update policies:
    Do this to benefit from new threat signatures immediately, while you review new application signatures and update your policies.
    1. Select DeviceDynamic Updates and Download the latest content release version.
    2. Review New App-ID Impact on Existing Policy Rules to assess the policy impact of new App-IDs.
    3. Install the latest content release version. Before the content release is installed, you are prompted to Disable new apps in content update. Select the check box and continue to install the content release. Threat signatures included in the content release will be installed and effective, while new or updated App-IDs are disabled.
    4. Select Policies and update Security, QoS, and Policy Based Forwarding rules to match to and enforce the now uniquely identified application traffic, using the pending App-IDs.
    5. Select ObjectsApplications and select one or multiple disabled App-IDs and click Enable.
    6. Commit your changes to seamlessly update policy enforcement for new App-IDs.
  • Update policies now and then install the content release version.
    1. Select DeviceDynamic Updates and Download the latest content release version.
    2. Review New App-ID Impact on Existing Policy Rules to assess the policy impact of new App-IDs.
    3. While reviewing the policy impact for new App-IDs, you can use the Policy Review based on candidate configuration to add a new App-ID to existing policy rules: add_icon.png . The new App-ID is added to the existing rules as a disabled App-ID.
    4. Continue to review the policy impact for all App-IDs included in the latest content release version by selecting App-IDs in the Applications drop-down. Add the new App-IDs to existing policies as needed. Click OK to save your changes.
    5. Install the latest content release version.
    6. Commit your changes to seamlessly update policy enforcement for new App-IDs.

Related Documentation