Applications and Threats content updates equip Palo Alto
Networks next-gen firewalls with the very latest threat prevention
and application identification technology.
Applications and Threats content updates deliver the
very latest application and threat signatures to the firewall. The
applications portion of the package includes new and modified App-IDs
and does not require a license. The full Applications and Threats
content package, which also includes new and modified threat signatures,
requires a Threat Prevention license. As the firewall automatically
retrieves and installs the latest application and threat signatures (based
on your custom settings), it starts enforcing security policy based
on the latest App-IDs and threat protection without any additional
New and modified threat signatures and modified App-IDs are released
at least weekly and, often, more frequently. New App-IDs are released
on the third Tuesday of every month.
In rare cases, publication of the update that contains
new App-IDs may be delayed one or two days.
Because new App-IDs can change how the security policy enforces
traffic, this more limited release of new App-IDs is intended to
provide you with a predictable window in which you can prepare and
update your security policy. Additionally, content updates are cumulative;
this means that the latest content update always includes the application
and threat signatures released in previous versions.
Because application and threat signatures are delivered in a
single package—the same decoders that enable application signatures
to identify applications also enable threat signatures to inspect
traffic—you need to consider whether you want to deploy the signatures
together or separately. How you choose to deploy content updates
depends on your organization’s network security and application
availability requirements. As a starting point, identify your organization as
having one of the following postures (or perhaps both, depending
on firewall location):
An organization with a
prioritizes protection using the latest threat signatures over application
availability. You’re primarily using the firewall for its threat
prevention capabilities. Any changes to App-ID that impact how security
policy enforces application traffic is secondary.
network prioritizes application
availability over protection using the latest threat signatures.
Your network has zero tolerance for downtime. The firewall is deployed
inline to enforce security policy and if you’re using App-ID in
security policy, any change a content releases introduces that affects
App-ID could cause downtime.
You can take a mission-critical or security-first approach to
deploying content updates, or you can apply a mix of both approaches
to meet the needs of the business. Review and consider Best Practices for Applications and Threats Content Updates to decide
how you want to implement application and threat updates. Then:
While scheduling content updates is a
one-time or infrequent task, after you’ve set the schedule, you’ll
need to continue to Manage
New and Modified App-IDs that are included in content releases,
as these App-IDs can change how security policy is enforced.