topic The use of use-cache-for-identification introduced in PANOS 5.0.2? in General Topics

The use of use-cache-for-identification introduced in PANOS 5.0.2?

mikand — Sat, 19 Jan 2013 12:59:14 GMT

According to the release note for PANOS 5.0.2 (released 2013-01-15):

47195 – When the App-ID cache feature was enabled in previous releases (enabled by default), it was possible to pollute the cache to allow some applications to pass through the firewall, even when a rule was set to block the application. If you are running an older version of PAN-OS, you can disable the application cache by running set deviceconfig setting application cache no until you can upgrade.

With this update, the App-ID cache will not be used in security policies by default. The following new CLI command has also been introduced to control whether or not the App-ID cache is used: set deviceconfig setting application use-cache-for-identification and is set to no by default.

For more information, please refer to the Security Advisory PAN-SA-2013-0001 at https://securityadvisories.paloaltonetworks.com/

Whats the purpose of "use-cache-for-identification" compared to enable/disable app-id cache all together?

According to comments in the security advisory found at the default of "no" for "use-cache-for-identification" in 5.0.2 seems to break things similar to how disabling app-id cache on its own would do (meaning some applications will be identified as unknown). While at the same time if you didnt disable app-id cache in 5.0.1 and update to 5.0.2 the app-id cache will remain active.

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

kbrazil — Mon, 21 Jan 2013 09:26:05 GMT

Hi Mikand:

Before 5.0.2:

set deviceconfig setting application cache no
- Completely disable Application Cache
set deviceconfig setting application cache yes (DEFAULT)
- Completely enable Application Cache for all applications

5.0.2 and Later:

set deviceconfig setting application cache no
- Completely disable Application Cache for all applications. This impacts PBF and accuracy of heuristic apps (e.g. bittorrent)
set deviceconfig setting application cache yes (DEFAULT)
- Enable Application Cache. See next two commands for Application Cache behavior
set deviceconfig setting application use-cache-for-identification no (DEFAULT)
- Application Cache only applies to certain applications that use it for proper App-ID (heuristics) and are not susceptible to poisoning (e.g. bittorrent)
set deviceconfig setting application use-cache-for-identification yes
- Application Cache includes all applications (brings back old behavior)

The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")

Cheers,

Kelly

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

mikand — Mon, 21 Jan 2013 22:46:00 GMT

Thanks! 🙂

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Quinton — Thu, 15 Aug 2013 16:26:41 GMT

Does anybody know what the commands are to view the current settings?

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Phoenix — Thu, 15 Aug 2013 17:24:24 GMT

Hello Quinton,

Once we have made changes we can look at details on configure mode:

samysu@SamySu# edit deviceconfig setting application

[edit deviceconfig setting application]

samysu@SamySu# show

application {

notify-user yes;

use-cache-for-identification no;

}

[edit deviceconfig setting application]

Hope this helps.

Hope this helps

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Quinton — Thu, 15 Aug 2013 18:09:38 GMT

Work perfect thanks