Question to disabled applications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Question to disabled applications

L4 Transporter

Hey guys!

 

I spotted some error messages in the system log of a PA-3020: Disabled applications in vsys1.

 

After some research I found out that new apps in content updates will be disabled.

 

My question is: What am I supposed to do now?

 

Can I enable all disabled apps? Will that have any impact?

 

Can I enable new apps in content update?

 

Thanks!

7 REPLIES 7

Community Team Member

Hi @MPI-AE,

 

This is a setting in your Update Schedule :

 

Disable new apps in content updateDisable new apps in content update

 

Hope this helps !

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hey kiwi,

 

yeah, I found that out!

 

But I would like to know what am I supposed to do now.

 

I want to get rid of the error system log message.

 

Can I enable all disabled apps?

 

Is there any impact?

Community Team Member

Hi @MPI-AE,

 

To enable an application, you have 2 ways to do this :

  1. The first way is to select Enable in the application details window.
  2. Or, from the Applications window, select all the desired application, then click Enable on the bottom of the window.

More details on the feature can be found in our featured article :

 

Tips & Tricks: How to Use Disable New Apps in Content Update

 

You can review the impact of new App-IDs on existing policy rules which is explained here :

 

PAN-OS 7.0 new feature - Review of new App-IDs

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hey @kiwi

 

thanks for the links.

 

But I think you didn't completely understand my question.

 

I know how to enable the apps.

 

I would like to know if it's dangerous to enable them?

 

And why (not how!) would I disable new apps in content update?

Community Team Member

Hi @MPI-AE,

 

You might choose to disable an application that is included with a new content release version because policy enforcement for the application might change.

 

For example, an application that is identified as web-browsing traffic is allowed by the firewall prior to a new content version installation; after installing the content update, the uniquely identified application no longer matches the security rule that allows web-browsing traffic. In this case, you could choose to disable the application so that traffic matched to the application signature continues to be classified as web-browsing traffic and is allowed.

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hey @kiwi

 

I still don't get it!

 

new apps can't be configured in any policies because there are not present until they are published. ?

 

And I don't understand your example. How can a application (for example dropbox) not longer matches the security rule?

 

I mean the name of the app remains "dropbox". ?

 

And I think the classification shouldn't matter?

 

And a disabled app doesn't work, does it?

Hi @MPI-AE !

 

There are a couple scenarios where some behavior could change if not anticipated:

 

-A new application could suddenly get identified and no longer match a security policy (eg. if something that used to be identified as web-browsing now changes into 'app X', it may no longer match the policy)

 

-In an environment where application filters are used, it might be good to review changes made to the app package before loading the new applications: What are the recommended applications for internet access?

 

fyi. this setting applies to new applications, not to updates to existing applications

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4546 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!