Learn about the new App-ID™ features in PAN-OS® 8.1.
|New App-ID Feature||Description|
|SaaS Application Hosting Characteristics|
By leveraging the enhanced SaaS Application Hosting Characteristics in App-ID™, you can now identify and control SaaS applications that could pose a risk to your organization due to unfavorable hosting characteristics. To help you understand the enterprise readiness of a SaaS application, five new characteristics have been added: certifications achieved, past data breaches, support for IP-based access restrictions, financial viability, and terms of service. Using these characteristics, you can identify and explore the extent of high risk application usage from the Application Command Center (ACC). The SaaS Application Usage report is also enhanced to incorporate this context with a summary page covering risky SaaS applications and highlights the characteristics on the detailed pages. For a more tailored view, you can use the characteristics when building custom reports. Armed with the usage and the detailed risk profile, you can make informed decisions about which SaaS applications should be allowed in your environment and create policy to enforce this.
Palo Alto Networks releases new App-IDs on a monthly basis that your security policy can begin to enforce without any additional configuration. While this enables the firewall to dynamically control application traffic with ever-increasing precision, it can also impact the availability of the mission-critical applications on which your organization relies.
Together, these new App-ID features enable you to equip the firewall with the latest application knowledge and ensure availability for mission-critical applications at the same time. Plus, they make it easier to move to and maintain an application-based security policy:
|SaaS Application Access Control using HTTP Header Insertion|
Unsanctioned usage of SaaS applications can be a way for your users to transmit sensitive information outside of your network. This kind of SaaS usage usually means that the user is accessing a consumer-version of the application. At the same time, you may have found that usage of the enterprise-version of these applications by specific individuals or organizations is both desirable and necessary.
You can now disallow SaaS consumer accounts while allowing usage of a specific enterprise account by managing HTTP header information. Many SaaS applications allow or disallow application access based on information contained on specific HTTP headers. This feature provides predefined header insertion rules for popular SaaS application such as G Suite and Microsoft Office 365. You can also create your own custom header insertion rules for SaaS applications for which predefined header insertion rules have not been provided by Palo Alto Networks, but that also use HTTP headers to limit service access.
|Easy Custom Timeouts for Applications and Services|
You want to migrate from your legacy firewall to a Palo Alto Networks next generation firewall so that you can safely and comprehensively enable the applications you need to do business, but you also need to maintain any custom timeouts configured for your mission-critical applications. Now, you can custom timeouts for legacy applications in two quick and easy steps, where previously to maintain custom timeouts during the move to an application-based policy, you might have overridden App-ID (losing application visibility) or created a custom App-ID (expending a lot of time and research).
App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. ...
Application Whitelist Example
Application Whitelist Example Keep in mind that you do not need to capture every application that might be in use on your network in your ...
App-ID To safely enable applications on your network, the Palo Alto Networks next-generation firewalls provide both an application and web perspective—App-ID and URL Filtering—to protect ...
Use HTTP Headers to Manage SaaS Application Access
Use Palo Alto Networks® firewall URL profiles to insert custom headers into HTTP requests so that you can control access to differing versions of web ...
HTTP Header Insertion and Modification
Use Palo Alto Networks® firewall URL profiles to insert HTTP headers and values into HTTP requests so that you can control access to differing versions ...
SaaS Application Hosting Characteristics
View the detailed risk profile and usage statistics for the SaaS applications on your network based on sanction state and hosting characteristics in App-ID™. ...
Domains used by the Predefined SaaS Application Types
List of domains you use for header insertion rules when using predefined HTTP header insertion rules. ...
Workflow to Best Incorporate New and Modified App-IDs
Workflow to Best Incorporate New and Modified App-IDs Refer to this master workflow to first set up Application and Threat content updates, and then to ...
Generate the SaaS Application Usage Report
Generate the SaaS Application Usage Report The SaaS Application Usage PDF report is a two-part report that allows you to easily explore SaaS application activity ...