App-ID changes to Google apps

Printer Friendly Page

 

 

On 01-December-2015, Palo Alto Networks added a new App-ID named 'google-base,' intended to simplify the safe enablement of Google apps and streamline policy configuration. Follow the FAQ below to learn more about this change and its impact on existing firewall policies. Please see the link to the Discussion forum following this article if you have questions.

 

Frequently Asked Questions

 

Q: Why is Palo Alto Networks making this change?

 

A: Currently, to safely enable Google apps, our customers are required to permit access to dependent App-IDs, 'ssl' and 'web-browsing.' With this change, customers are no longer required to explicitly permit these dependent apps. A new App-ID named 'google-base' will selectively identify baseline services used by all Google apps.

 

 

Q: How am I affected by this change?

 

A: To take advantage of this new capability, firewall policies need to be updated. In lieu of allowing the 'ssl' and 'web-browsing' as dependent apps, this new policy will be required to permit the 'google-base' App-ID. A sample policy is outlined below, which demonstrates the safe enablement of Google Calendar, Gmail, YouTube, and Google Maps with the new 'google-base' App-ID.

Firewall Policy for Secure Google Apps 

App-ID for Secure Google Apps

 

Q: How do I guarantee operational continuity to safely enable Google apps?

 

A: Palo Alto Networks added the 'google-base' App-ID to our application catalog the first week of November 2015. This App-ID, delivered as a placeholder, allows our customers to make any necessary policy changes to their firewalls ahead of time.

 

This placeholder App-ID will not affect firewall policy processing, or any existing App-ID driven rules. A sample of a transitional policy is illustrated below:

App-ID Rules for Secure Google Apps

 

Palo Alto Networks replaced the placeholder application with the formal “google-base” App-ID the first week of December 2015.

 

To facilitate this transition, Palo Alto Networks intends to follow the timeline outlined below:

 

  • 20-October-2015 – Palo Alto Networks announces a timeline for upcoming changes to the way Google apps will be handled by the firewall.
  • Week of 02-November-2015 – Palo Alto Networks delivered a placeholder “google-base” App-ID with weekly Content Apps and Threats update. This can be used to safely update firewall policies and prepare for the announced changes.
  • Week of 01-December-2015 – Palo Alto Networks delivered the formal 'google-base' App-ID with weekly Content Apps and Threats update. With this update, the “google-base” App-ID will be fully operational, and now obviates the need to selectively enable 'ssl' and 'web-browsing' as dependent applications. In other words, for any google applications to work 'google-base' has to be allowed in the security rulebase.

 

Q: When should I expect this change to appear in Applications and Threats Dynamic Updates?

 

A: Palo Alto Networks delivered the fully operational 'google-base' App-ID with the Content Apps and Threats update on 01-December-2015.

 

Q: What happens if I do not add google-base as an allowed application but only have "ssl" and "web-browsing" allowed in firewall policies?

 

A: If you do not have 'google-base' allowed, google applications will not work. Beginning Dec 1, 2015 it is now required to allow 'google-base' for any google applications to work.

 

Q: What versions of PAN-OS software will be affected by this change?

 

A: All currently supported versions of PAN-OS software that are updated to a version of Content Apps and Threats update delivered on or beyond 01-December-2015 may be affected by this change.

 

Q: What is the list of applications that require 'google-base?'

 

A: The list of applications requiring 'google-base' can be found here: List of applications that require google-base.

 

Q: Do I need to enable SSL decryption for identifying 'google-base' app?

 

A: No, SSL decryption is not required for identifying the 'google-base' app itself. However, SSL decryption is still required for any google application running on SSL, like gmail.

 

Q: Will allowing 'google-base' App-ID also allow other Google apps like youtube-base, gmail-base, etc.?

 

A: No, any other Google apps like youtube-base and gmail-base, have to be enabled individually based on your security policy settings. 

 

Palo Alto Networks urges all customers to review their firewall policies, and use the placeholder App-ID to make any necessary changes before 01-December-2015.

 

Questions?

If you have questions about the changes described in this article, please feel free to post in our Discussion forum.

 

 

 

Tags (4)
Comments

How would this affect Google-search especially image search?

 

We have a couple of customers who give certain groups of employees only restricted Internet access to a defined list of webpages. Some of these common webpages like Irishrail are using Google-Maps which means that we have to allow Google Maps but block google-search which we have implemented by allowing Google-Maps in one rule and then SSL & web-browsing in another rule combined with a custom URL Category.

 

Are there any plans to provide an App for Google-search because especially Google Image search causes regular concerns regarding appropriate usage. With URL Filtering its always challanging if a customer wants to allow speficic Google applications while blocking Google search because Google frequently changes their URLs and an App would make this much easier.

 

Thanks

Lars

Hello, we white list applications primarily based on the following items using app filters:

 

CATEGORYSUBCATEGORYTECHNOLOGYRISKCHARACTERISTIC

 

Would you please tell me what these will look like for the google-base application so I can be sure it will be processed correctly by our white listing?

 

Thank you,

 

Jay

Lars - take a look at this article to not only enforce safe search, but also automatically rewrite the search using the response page to enable safe settings.

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/enable-transparent-saf...

 

Thanks sburgin, that's very useful !!!

 

Is there a specific reason why you're using two separate policies in your example? Would it be different if I used one Security Policy including various Google apps plus the new "google-base" app?

 

2015-11-30 17_40_59-Photos.png

I've set up a simple coporate policy that allows basic internet browsing:

 

Image 1.png

 

Although I am not allowing youtube-base, I am still able to view youtube videos.  What is wrong with my policy? 

 

The traffic monitor shows the high traffic classified as google-base which i am sure is the youtube traffic.  Why isn't the PAN picking up it is youtube?

 

Image 2.png


 

 

Q: Will allowing 'google-base' App-ID also allow other Google apps like youtube-base, gmail-base, etc.?

 

A: No, any other Google apps like youtube-base and gmail-base, have to be enabled individually based on your security policy settings.