DotW: To disable or not to disable, that is the question.
byreaper05-31-201705:12 AM - edited 06-02-201708:09 AM
You may have noticed the option to disable new applications in the scheduled content updates, but why would you opt to enable this option?
Community member @MPI-AE was asking the same question after figuring out the option had been enabled and some applications were deactivated as a result:
If you haven't seen this option yet, it can be found as a checkbox in the Dynamic Updates Schedule settings:
Checkbox to disable new applications
This setting will disable any new applications that were added to a content package. Any existing applications that are being updated will not be disabled.
As you can see from these release notes, several new applications are added in this content update:
In the applications page, you can filter the view to only display any applications that have been disabled and then opt to enable them by selecting the checkbox for each application, then clicking 'enable' at the bottom of the applications pane.
Fitlering and activating new applications
Now the question remains: why would you want to disable applications? In most scenarios, this may not apply, but in some situations it could be beneficial to review which applications are going to be added to the application database without automatically applying them to the dataplane, but still being able to install the threats database per the schedule.
- An example could be if an application that was previously identified as something more generic, like web-browsing, in a very restrictive security policy where only known applications are allowed. This new application will no longer have an associated security policy and may be dropped by the default policy if the admin does not first review and create security policies accordingly.
- Another example: If a security policy has been set up using application filters, normally new applications get added to application filters immediately and policy applied according to the rulebase upon installation of the content package. Disabling new applications gives the admin the oportunity to review which applications will be added to the application filters and what the impact will be to the organization.
As you can see in the disabled applications screenshot above: the concur application was augmented with sub-applications, adobe got a new one and freshsales is a new application that used to be identified as web-browsing and ssl.
- It may be regulatory: In some environments, it may not be allowed to install new applications without going through a review process to verify if an application is desirable or required to be identified (I'm looking at financial or military where strict control is of the utmost importance).
I hope this was useful, feel free to post any questions or comments below!