App-ID Features

Learn about the new App-ID™ features in PAN-OS® 9.0.
New App-ID Feature
Description
Policy Optimizer
Policy Optimizer identifies all applications seen on any legacy Security policy rule and provides an easy workflow for selecting the applications you want to allow on that rule. Additionally, it helps you remove unused applications from overprovisioned application-based rules. This simplified workflow allows you to migrate a legacy rule gradually and natively to an application-based rule so you can safely enable applications in your environment and improve your security posture.
(
Beginning with PAN-OS 9.0.2
) Policy Optimizer also gives you the option to select applications in a legacy Security policy rule and add applications to an existing rule so that you can leverage pre-existing App-ID based rules and eliminate the need to continually create new rules. You can also now choose between
container app
and
specific apps seen
so that the web interface clearly displays which applications have been seen on a rule and which ones were added as part of the container but that have not, yet, been seen on that rule.
HTTP/2 Inspection
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and detect and prevent threats on a per-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.
Strict Default Ports for Decrypted Applications
Application-default—which enables you to allow applications only on their most commonly-used ports—now enforces strict default port usage strict standard port usage for certain applications that use a different default port when they are encrypted: web-browsing, SMTP, FTP, LDAP, POP3, and IMAP.
For example, with SSL decryption turned on, application-default differentiates between cleartext and encrypted web-browsing traffic and strictly enforces:
  • cleartext web-browsing traffic (HTTP) on port 80
  • and encrypted web-browsing traffic (HTTPS) on port 443.
Application-default is a best practice for application-based security policies—it reduces administrative overhead, and closes security gaps that port-based policy introduces.

Related Documentation