Tips & Tricks: How to Use 'Disable New Apps' in Content Update

Tips & Tricks: How to Use 'Disable New Apps' in Content Update

58640
Created On 09/25/18 18:59 PM - Last Modified 06/07/23 17:52 PM


Environment


NGFW

Resolution


Our Tips and Tricks topic covers a new option introduced with PAN-OS 7.1. This new option is called Disable new apps in content update.

 

What does the 'Disable new apps in content update' option do?
When scheduling recurring downloads and installations for content updates, you can choose to disable new apps in  the content update. This option enables protection against the latest threats while giving you some flexibility. For example, you can first prepare policy updates for newly identified applications, then safely enable new applications that may be treated differently following the update.


Where can it be found?
The 'Disable new apps in content update' option is located in 2 places:

  1. Inside the WebGUI  - Device > Dynamic Updates, click to the right of the Schedule for Applications and Threats.
    t&t disable new apps1.png

    The Applications and Threats Update Schedule window displays, where you will see an option to 'Disable new apps in content update,' only if the action is to download-and-install. If you want to enable it, you will need to select this option and commit the config first.
    t&t disable new apps2.png
     
  2. The 'Disable new apps in content update' is also available when you have Applications and Threats downloaded, but  not installed. Click the Install action from the Dynamic Updates page.  You should then get an option to Disable new apps in content update.
    t&t disable new apps7.png

    When this is enabled, and installed, you will see this window showing the install of Apps and Threats, along with the list of what apps have been disabled:
    t&t disable new apps8.pngApps and Threats install window with option enabled. Notice the warning stating what new apps have been disabled.

If you manually or automatically download the Apps and Threats, but do not install, then you will see the install option, as well as under the Features column, you will see Apps is clickable. (Note: You also have an option to Review Policies to see what would be affected if the new applications were installed.)

t&t disable new apps6.pngDevice > Dynamic Update page with many options available.

If you click on Apps, (before installing the Apps and Threats update package, you will see the New Applications since last installed content window.  

Here you will see the new applications listed on the left hand side. To get details about each application, select it on the left.

 

t&t disable new apps9.png

You will see the list of new applications listed on the left. 

 

In the lower right, under options, you will see if the App-ID is enabled for this application or not. (Note: If you have selected to disable the new applications, then this will show no (Disabled). Otherwise, it will show yes, and you will have the option to disable or enable this application.
t&t disable new apps10.png

 

 

How do I know which new applications have been disabled?
In order to know what new applications have been disabled, you will first be given the option on the Device > Dynamic Update screen by clicking Apps (see above).

 

If you have already installed the new Apps and Threats content with the Disable New Apps option enabled and were not able to review the new apps from the above windows, then you can view this information by going into the Applications window located under Objects > Applications.

 

In order to see which applications are disabled, click on the dropdown next to all, and select Disabled applications.

t&t disable new apps11.png

At the bottom of this window, you will see which applications have been disabled, showing as grey-italicized.

 

Click on the application to see the details:

t&t disable new apps12.png

 

You have 2 ways to enable the application:

  1. Select Enable in the application details window (above).
  2. Or, from the Applications window, select the application,  then click the Enable option on the bottom of the window:
    t&t disable new apps13.png
     

Either way you select to enable the application, you will be presented with the following window telling you that any new applications that are enabled will also enable any application dependent on that application. It also gives you an option to enable dependent App-IDs:

t&t disable new apps14.png

 

I hope that this explains the new Disable New Apps option well.

 

As always, we appreciate all questions and comments below.


See also

Video: Disable new apps in content update

Best Practices to Manage Weekly Content Releases

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSgCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language