Question to disabled applications

Reply
Highlighted
L4 Transporter

Question to disabled applications

Hey guys!

 

I spotted some error messages in the system log of a PA-3020: Disabled applications in vsys1.

 

After some research I found out that new apps in content updates will be disabled.

 

My question is: What am I supposed to do now?

 

Can I enable all disabled apps? Will that have any impact?

 

Can I enable new apps in content update?

 

Thanks!

Highlighted
Community Team Member

Re: Question to disabled applications

Hi @MPI-AE,

 

This is a setting in your Update Schedule :

 

Disable new apps in content updateDisable new apps in content update

 

Hope this helps !

-Kiwi

Highlighted
L4 Transporter

Re: Question to disabled applications

Hey kiwi,

 

yeah, I found that out!

 

But I would like to know what am I supposed to do now.

 

I want to get rid of the error system log message.

 

Can I enable all disabled apps?

 

Is there any impact?

Highlighted
Community Team Member

Re: Question to disabled applications

Hi @MPI-AE,

 

To enable an application, you have 2 ways to do this :

  1. The first way is to select Enable in the application details window.
  2. Or, from the Applications window, select all the desired application, then click Enable on the bottom of the window.

More details on the feature can be found in our featured article :

 

Tips & Tricks: How to Use Disable New Apps in Content Update

 

You can review the impact of new App-IDs on existing policy rules which is explained here :

 

PAN-OS 7.0 new feature - Review of new App-IDs

 

Cheers !

-Kim.

Highlighted
L4 Transporter

Re: Question to disabled applications

Hey @kiwi

 

thanks for the links.

 

But I think you didn't completely understand my question.

 

I know how to enable the apps.

 

I would like to know if it's dangerous to enable them?

 

And why (not how!) would I disable new apps in content update?

Highlighted
Community Team Member

Re: Question to disabled applications

Hi @MPI-AE,

 

You might choose to disable an application that is included with a new content release version because policy enforcement for the application might change.

 

For example, an application that is identified as web-browsing traffic is allowed by the firewall prior to a new content version installation; after installing the content update, the uniquely identified application no longer matches the security rule that allows web-browsing traffic. In this case, you could choose to disable the application so that traffic matched to the application signature continues to be classified as web-browsing traffic and is allowed.

 

Cheers,

-Kiwi.

L4 Transporter

Re: Question to disabled applications

Hey @kiwi

 

I still don't get it!

 

new apps can't be configured in any policies because there are not present until they are published. ?

 

And I don't understand your example. How can a application (for example dropbox) not longer matches the security rule?

 

I mean the name of the app remains "dropbox". ?

 

And I think the classification shouldn't matter?

 

And a disabled app doesn't work, does it?

Highlighted
L7 Applicator

Re: Question to disabled applications

Hi @MPI-AE !

 

There are a couple scenarios where some behavior could change if not anticipated:

 

-A new application could suddenly get identified and no longer match a security policy (eg. if something that used to be identified as web-browsing now changes into 'app X', it may no longer match the policy)

 

-In an environment where application filters are used, it might be good to review changes made to the app package before loading the new applications: What are the recommended applications for internet access?

 

fyi. this setting applies to new applications, not to updates to existing applications

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!