Create a security policy rule that allows critical App-IDs
(like authentication or software development applications) as they’re
installed. This gives you the flexibility to get the latest threat
prevention without worrying about how the accompanying new App-IDs
impact security policy enforcement.
New App-IDs can cause a change in policy enforcement
for traffic that is newly-identified as belonging to a certain application.
To mitigate any impact to security policy enforcement, you can use
characteristic in a security
policy rule so that the rule always enforces the most recently introduced
App-IDs without requiring you to make configuration changes when
new App-IDs are installed. The New App-ID characteristic always
matches to only the new App-IDs in the most recently installed content
releases. When a new content release is installed, the new App-ID
characteristic automatically begins to match only to the new App-IDs
in that content release version.
You can choose to enforce
all new App-IDs, or target the security policy rule to enforce certain
types of new App-IDs that might have network-wide or critical impact
(for example, enforce only authentication or software development
applications). Set the security policy rule to
ensure that even if an App-ID release introduces expanded or more
precise coverage for critical applications, the firewall continues
to allow them.
New App-IDs are released monthly, so a policy
rule that allows the latest App-IDs gives you a month’s time (or,
if the firewall is not installing content updates on a schedule,
until the next time you manually install content) to assess how
newly-categorized applications might impact security policy enforcement
and make any necessary adjustments.
new application filter.
Define the types of new applications for which you want
to ensure constant availability based on subcategory or characteristic.
For example, select the category “auth-service” to ensure that any
newly-installed applications that are known to perform or support
authentication are allowed.
Only after narrowing the types of new applications that
you want to allow immediately upon installation, select
to New App-IDs only
and add or edit a
security policy rule that is configured to allow matching traffic.
and add the
to the policy rule
as match criteria.
save your changes.
To continue to adjust your security policy to account
for any changes to enforcement that new App-IDs introduce: