topic Re: Can someone explain to me like I'm 5 what App-IDs are? in General Topics

Can someone exsplaine to me like I'm 5 what App-IDs are?

AndrewPaloAlto — Wed, 19 Aug 2020 20:29:52 GMT

So I need to update my PanOS on my PA-3020, but because I have a mission-critical network I need to avoid downtime as much as possible. In the walk-through for the PanOS upgrade, it says 'any change a content releases introduces that affects App-ID could cause downtime.'
I was not fully clear on what an App-ID is, and why it might change from an update. If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?

Can someone please shed some light on this for me?
I'm going from PanOS 9, to 10.

Re: Can someone explain to me like I'm 5 what App-IDs are?

AndrewPaloAlto — Wed, 19 Aug 2020 20:38:42 GMT

Re: Can someone exsplaine to me like I'm 5 what App-IDs are?

AndrewPaloAlto — Wed, 19 Aug 2020 20:39:07 GMT

*explain

Re: Can someone exsplaine to me like I'm 5 what App-IDs are?

BPry — Thu, 20 Aug 2020 03:24:09 GMT

@AndrewPaloAlto,

App-IDs are a collection of identifiable information (traffic signatures, protocol decoding, heuristics) which is able to identify traffic to a particular application without relying solely on port information like in older L4 deployments. These are updating constantly because the applications themselves don't stay the same, or PAN removes false-positives or expands coverage of an app-id so that it properly identifies even more traffic.

An example on why this can cause an outage would be if I configured a security rulebase entry that allowed the app-id SSL over a service object that maps to tcp/636. If a future content update expands coverage of the app-id ldap so that it starts matching traffic within my environment, I would no longer have a security rulebase entry that would allow the traffic to pass. IE: A rule allowing ssl on tcp/636 wouldn't allow traffic being identified as ldap on tcp/636 because the rule no longer matches the traffic.

If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?

This question is unclear in what you are actually asking. What exactly do you mean when you say that you have rules in place regarding allowing some configured alerts? Configured alerts for what, the firewall or some industrial equipment? App-IDs are the applications that you specify within the security rulebase entires; some of these are application containers which are made from multiple individual app-ids, but that's getting slightly into the weeds of things.

Re: Can someone exsplaine to me like I'm 5 what App-IDs are?

Brandon_Wertz — Fri, 21 Aug 2020 16:54:11 GMT

@AndrewPaloAlto wrote:

So I need to update my PanOS on my PA-3020, but because I have a mission-critical network I need to avoid downtime as much as possible. In the walk-through for the PanOS upgrade, it says 'any change a content releases introduces that affects App-ID could cause downtime.'
I was not fully clear on what an App-ID is, and why it might change from an update. If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?

Can someone please shed some light on this for me?
I'm going from PanOS 9, to 10.

I think what you're referring to is what might happen if Palo Alto adds to or changes how an "application" is identified by the firewall. Palo Alto uses multiple identifying characteristics of network traffic to create an "application" definition.

For instance on 7-23-2020, Palo Alto released application updates which changed how some applications are identified. Before this release traffic would have been seen simply as "cip-ethernet-ip-base" after this update the same traffic which the firewall saw could further be identified by the following applications:

cip-ethernet-ip-disable-io (functional)
cip-ethernet-ip-disable-sfc (functional)
cip-ethernet-ip-enable-io (functional)
cip-ethernet-ip-enable-sfc (functional)
cip-ethernet-ip-read-mod-write (functional)
cip-ethernet-ip-read-tag (functional)
cip-ethernet-ip-read-tag-frag (functional)
cip-ethernet-ip-run (functional)
cip-ethernet-ip-stop (functional)
cip-ethernet-ip-test-mode (functional)
cip-ethernet-ip-write-tag (functional)
cip-ethernet-ip-write-tag-frag (functional)

So if you wrote a rule that ONLY allow the previous application of cip-ethernet-ip-base, after the application update download to your firewall it's entirely possible these new applications wouldn't have been allowed since they weren't previously allowed in your security policy.

Re: Can someone exsplaine to me like I'm 5 what App-IDs are?

Retired Member — Sat, 22 Aug 2020 15:12:07 GMT

By the way, you will not be able to upgrade 3020 to panos 10.

9.1.x supported but 10 not.

Regards