App-ID Changes in PAN-OS 8.1

App-ID changes to default behavior in PAN-OS 8.1
PAN-OS® 8.1 has the following changes in default behavior for App-ID features:
App-ID cache for SSL applications
The default setting of the App-ID cache for SSL applications has changed:
  • PAN-OS 8.0 and earlier releases
    —The App-ID cache for SSL applications is enabled by default. If a cloud service provider serves multiple applications from the same IP address and you notice the firewall misidentifying these applications, you can disable the cache in PAN-OS 8.0.8 and later releases. For details, see PAN-84445 in the Addressed Issues of the PAN-OS 8.0 Release Notes.
  • PAN-OS 8.1 release
    —The App-ID cache for SSL applications is disabled by default. Firewalls running PAN-OS 8.1 do not populate the cache when they can identify applications from the Server Name Indication (SNI). If in rare cases the firewall misidentifies applications, you can manually enable the cache.
To change the default setting in PAN-OS 8.1 or in PAN-OS 8.0.8 or a later 8.0 release, run the following CLI command:
set application use-appid-cache-ssl-sni
{no | yes}

Recommended For You