For details on cookie usage on our site, read our Privacy Policy
Best Practice recommendation for permit new App-IDs
- LIVEcommunity
- Discussions
- Best Practice Assessment Discussions
- Best Practice recommendation for permit new App-IDs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Best Practice recommendation for permit new App-IDs
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-11-2023 08:02 AM
After reviewing some best practice rule recommendations from AIOpsFW, I'm struggling to understand the logic and implementation possibilities in my environment of allowing new app-ids. I work at an educational institution. We're running 10.1.9-h1.
My understanding of the New App ID rule set is that it should be used as cover for the modification of an App-IDs characteristics via a Content update to no longer be covered by the original policy. I think in terms of filtering and permitting App-ID Radius, and a content update removing previously defined characteristics and then creating a new sub-category or just removing what was once included in the policy and now that traffic doesn't match the filter and falls through to a deny. With the new App-ID filter this would theoretically capture this changing of categorization if it were a sub-category, but not necessarily if characteristics were removed.
What am I misunderstanding? I see creating a permit any new-app-id, and I see those counters immediately start showing apps like web-browsing, that should already be applied but now seems to be allowing that access to hosts that it shouldn't be permitting. I think writing this out helps clarify it to a degree, but this really continues to sound like it includes the possibility of opening a huge hole, and I wonder why it would be considered a best practice.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-12-2023 01:38 PM
Hello,
I'm probably misunderstanding your question. However what I do is I have a DENYALL policy at the bottom just above the two default policies. Any new apps that are installed, are denied automatically until someone asks for it or something breaks and I'm asked to look into it. So I would suggest following the DENY ALL allow by exception methodology.
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-13-2023 12:36 PM
So if I add the policy that permits new-app-ids after our Deny All it will still populate with new-app-ids? I'll give that a shot. Thanks,
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-13-2023 12:45 PM
Hello,
Yes, however it will not allow any traffic. I think I may have done a poor job explaining it. With the DENY ALL and only allow specific applications above that policy. Any new app-ids that are installed are automatically not allowed (traffic wise, the PAN still has the signatures). Because of this I have the PAN install the new apps even if they might get blocked, etc.
Hope that makes a bit more sense.
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-17-2023 08:57 AM
I think there is something procedurally that I'm not quite getting to understand the purpose and I'll need to revisit. this may be due to the fact that we are not yet utilizing ssl decryption and therefore there are rules that can just be defined as ssl and work properly. Thanks for responding.
- Create policies from flows in file excel/csv to a Panorama particular - Device Group in Panorama Discussions
- Announcing AIOps for NGFW 2.5 in AIOps for NGFW Discussions
- Best practices - Multi large upgrades pan-os Firewall HA in General Topics
- PA 3250 HA Pair bgp peering in Best Practice Assessment Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
