https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29803#M21780 <HTML><HEAD></HEAD><BODY><P>Hi Mike, </P><P></P><P>You can always go to the release notes before upgrading. That will have the modified decoders and the latest added or changed applications.</P><P></P><P>Thank you</P><P>Numan</P></BODY></HTML> Wed, 09 Oct 2013 23:05:43 GMT mbutt 2013-10-09T23:05:43Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29796#M21773 <HTML><HEAD></HEAD><BODY><P>Howdy,</P><P></P><P>How do most of you manage situations where App-ID updates break functioning rules?&nbsp; This just happened to me: I have Lync 2010 and the internal clients need to connect to the edge server.&nbsp; I had a rule in place that allowed ms-lync, ssl, and stun.&nbsp; That worked fine until last weeks update (396), at which point ssl was now identified as "ms-lync-online".&nbsp; So the rule started blocking traffic to external clients who shared a resource.&nbsp; The fix was to observe internal client traffic to the Lync edge server to see that traffic was now denied, then add the application to the list of allowed traffic.</P><P></P><P>So that is one instance, I bet others out there have found issues too.&nbsp; What are people doing to protect functioning policies from breaking after app-id updates?</P><P></P><P>Thanks,</P><P>Mike</P></BODY></HTML> Mon, 07 Oct 2013 18:53:46 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29796#M21773 msullivan 2013-10-07T18:53:46Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29797#M21774 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/message/31004">What happens when a previously unknown App-ID gets added to PA through dynamic updates? How are others handling this sit…</A> is a thread I started back in August asking this exact same question. All the answers were basically "use change control and monitor the App-IDs that get added."</P><P></P><P>How in the world we're expected to remember all the App-IDs in use and somehow just "know" that a new App-ID will identify traffic traversing our firewall I have no idea... </P><P></P><P>I guess for really business critical "it can never break" rules that you build, you can just use App-ID 'Any' and specific a port in the service column. That's the best thing I can come up with for rules that I build that "can't ever break."</P></BODY></HTML> Mon, 07 Oct 2013 19:24:23 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29797#M21774 ericgearhart 2013-10-07T19:24:23Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29798#M21775 <HTML><HEAD></HEAD><BODY><P>Usually I experience this after my first commit.&nbsp; Usually it is a scramble to quickly put in the new applications to unbreak things before people find out.</P></BODY></HTML> Tue, 08 Oct 2013 03:44:08 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29798#M21775 gheimer 2013-10-08T03:44:08Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29799#M21776 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply's.&nbsp; I guess I'm not alone on this. </P><P></P><P>@PAN - you need to figure out a way to merge these databases without breaking production environments.&nbsp; My devices are in a data center, so it isn't pretty when something like this happens.</P><P></P><P>Mike</P></BODY></HTML> Tue, 08 Oct 2013 21:47:39 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29799#M21776 msullivan 2013-10-08T21:47:39Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29800#M21777 <HTML><HEAD></HEAD><BODY><P>Welcome to my world.</P><P></P><P>I got bitten by the exact same update - broke my MS-Lync implementation - and added a metric shitload of dependencies into the rule for accessing the edge server from outside.</P><P></P><P>Best you can do is subscribe to the upgrade notifications, and check every single one before applying the content upgrade. I don't allow my firewall to auto-apply content updates (virus and web filtering fine, but not content) for exactly this reason.</P><P></P><P>PAN are kind of between a rock and a hard place here - people want new apps identified to give better control - but they can't do that without breaking some older implementations which were basically work-arounds because the app wasn't identified.</P><P></P><P>Maybe some kind of pre-parsing of content upgrades which checks against affected rules and notifies before applying - like they do if you try and delete an object which is referenced elsewhere - but I don't know how feasible this would be, especially if you've got a lot of rules to check against.</P></BODY></HTML> Wed, 09 Oct 2013 03:46:15 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29800#M21777 darren_g 2013-10-09T03:46:15Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29801#M21778 <HTML><HEAD></HEAD><BODY><P>+1</P></BODY></HTML> Wed, 09 Oct 2013 15:09:58 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29801#M21778 msullivan 2013-10-09T15:09:58Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29802#M21779 <HTML><HEAD></HEAD><BODY><P>If they broke out App-ID updates from threat updates that would be nice too. I'd like to not be missing threat updates that have come out just because I'm holding off on updating my App-ID version... right now the two are intertwined. I'd rather see them split apart.</P></BODY></HTML> Wed, 09 Oct 2013 19:35:09 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29802#M21779 ericgearhart 2013-10-09T19:35:09Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29803#M21780 <HTML><HEAD></HEAD><BODY><P>Hi Mike, </P><P></P><P>You can always go to the release notes before upgrading. That will have the modified decoders and the latest added or changed applications.</P><P></P><P>Thank you</P><P>Numan</P></BODY></HTML> Wed, 09 Oct 2013 23:05:43 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29803#M21780 mbutt 2013-10-09T23:05:43Z https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29804#M21781 <HTML><HEAD></HEAD><BODY><P>This is about the best option and best description of the circumstances</P></BODY></HTML> Thu, 10 Oct 2013 00:31:36 GMT https://live.paloaltonetworks.com/t5/general-topics/app-id-updates-break-existing-rules/m-p/29804#M21781 kalebw 2013-10-10T00:31:36Z