App-ID Features

Learn about the new App-ID™ features in PAN-OS® 8.1.
New App-ID FeatureDescription
SaaS Application Hosting Characteristics
By leveraging the enhanced SaaS Application Hosting Characteristics in App-ID, you can now identify and control SaaS applications that could pose a risk to your organization due to unfavorable hosting characteristics. To help you understand the enterprise readiness of a SaaS application, five new characteristics have been added: certifications achieved, past data breaches, support for IP-based access restrictions, financial viability, and terms of service. Using these characteristics, you can identify and explore the extent of high risk application usage from the Application Command Center (ACC). The SaaS Application Usage report is also enhanced to incorporate this context with a summary page covering risky SaaS applications and highlights the characteristics on the detailed pages. For a more tailored view, you can use the characteristics when building custom reports. Armed with the usage and the detailed risk profile, you can make informed decisions about which SaaS applications should be allowed in your environment and create policy to enforce this.
Simplified App-ID
Palo Alto Networks releases new App-IDs on a monthly basis that your security policy can begin to enforce without any additional configuration. While this enables the firewall to dynamically control application traffic with ever-increasing precision, it can also impact the availability of the mission-critical applications on which your organization relies.
Together, these new App-ID features enable you to equip the firewall with the latest application knowledge and ensure availability for mission-critical applications at the same time. Plus, they make it easier to move to and maintain an application-based security policy:
  • New App-ID Threshold—Install content updates that include new App-IDs on a separate schedule than those that don’t; this gives you more time to update your security policy to account for any changes in enforcement.
  • New App-ID Characteristic—Allow new App-IDs that might affect availability for critical enterprise applications (like software development or authentication App-IDs) and get visibility into new App-IDs activity, so that you can best refine your security policy.
  • Extended Policy Impact Review for Content Releases—In addition to new App-IDs, get insight into how modified App-IDs affect security policy enforcement.
  • Coverage Change Details for Modified App-IDs—Get details on how coverage for a modified App-ID is expanded or more precise.
SaaS Application Access Control using HTTP Header Insertion
Unsanctioned usage of SaaS applications can be a way for your users to transmit sensitive information outside of your network. This kind of SaaS usage usually means that the user is accessing a consumer-version of the application. At the same time, you may have found that usage of the enterprise-version of these applications by specific individuals or organizations is both desirable and necessary.
You can now disallow SaaS consumer accounts while allowing usage of a specific enterprise account by managing HTTP header information. Many SaaS applications allow or disallow application access based on information contained on specific HTTP headers. This feature provides predefined header insertion rules for popular SaaS application such as G Suite and Microsoft Office 365. You can also create your own custom header insertion rules for SaaS applications for which predefined header insertion rules have not been provided by Palo Alto Networks, but that also use HTTP headers to limit service access.
Easy Custom Timeouts for Applications and Services
You want to migrate from your legacy firewall to a Palo Alto Networks next generation firewall so that you can safely and comprehensively enable the applications you need to do business, but you also need to maintain any custom timeouts configured for your mission-critical applications. Now, you can custom timeouts for legacy applications in two quick and easy steps, where previously to maintain custom timeouts during the move to an application-based policy, you might have overridden App-ID (losing application visibility) or created a custom App-ID (expending a lot of time and research).

Related Documentation