The use of use-cache-for-identification introduced in PANOS 5.0.2?

Reply
L6 Presenter

The use of use-cache-for-identification introduced in PANOS 5.0.2?

According to the release note for PANOS 5.0.2 (released 2013-01-15):

"

47195 – When the App-ID cache feature was enabled in previous releases (enabled by default), it was possible to pollute the cache to allow some applications to pass through the firewall, even when a rule was set to block the application. If you are running an older version of PAN-OS, you can disable the application cache by running set deviceconfig setting application cache no until you can upgrade.

With this update, the App-ID cache will not be used in security policies by default. The following new CLI command has also been introduced to control whether or not the App-ID cache is used: set deviceconfig setting application use-cache-for-identification and is set to no by default.

For more information, please refer to the Security Advisory PAN-SA-2013-0001 at https://securityadvisories.paloaltonetworks.com/

"

Whats the purpose of "use-cache-for-identification" compared to enable/disable app-id cache all together?

According to comments in the security advisory found at the default of "no" for "use-cache-for-identification" in 5.0.2 seems to break things similar to how disabling app-id cache on its own would do (meaning some applications will be identified as unknown). While at the same time if you didnt disable app-id cache in 5.0.1 and update to 5.0.2 the app-id cache will remain active.

L4 Transporter

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Hi Mikand:


Before 5.0.2:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache
  • set deviceconfig setting application cache yes (DEFAULT)
    • Completely enable Application Cache for all applications

5.0.2 and Later:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache for all applications.  This impacts PBF and accuracy of heuristic apps (e.g. bittorrent)
  • set deviceconfig setting application cache yes (DEFAULT)
    • Enable Application Cache.  See next two commands for Application Cache behavior
  • set deviceconfig setting application use-cache-for-identification no (DEFAULT)
    • Application Cache only applies to certain applications that use it for proper App-ID (heuristics) and are not susceptible to poisoning (e.g. bittorrent)
  • set deviceconfig setting application use-cache-for-identification yes
    • Application Cache includes all applications (brings back old behavior)

The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")

Cheers,

Kelly

L6 Presenter

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Thanks! :-)

L3 Networker

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Does anybody know what the commands are to view the current settings?

Highlighted
L4 Transporter

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Hello Quinton,

Once we have made changes we can look at details on configure mode:

samysu@SamySu# edit deviceconfig setting application

[edit deviceconfig setting application]

samysu@SamySu# show

application {

  notify-user yes;

  use-cache-for-identification no;

}

[edit deviceconfig setting application]

Hope this helps.

Hope this helps

L3 Networker

Re: The use of use-cache-for-identification introduced in PANOS 5.0.2?

Work perfect thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!