Learn more about the often overlooked feature "Disable new apps in content update" in PAN-OS 10.x and 11.x.
Let's talk about the often overlooked feature"Disable new apps in content update," what it looks like in in PAN-OS 10.x and 11.x, and how to use it.
What does the Disable New Apps in Content Update feature do?
When scheduling recurring downloads and installations for content updates, you can choose to disable new apps in the content update. You might choose to disable a new application included in a content release if you want to avoid any policy impact from an application being uniquely identified (an application might be treated differently before and after a content installation if a previously unknown application is identified and categorized differently).
This option enables protection against the latest threats while giving you some flexibility. For example, you can first prepare policy updates for newly identified applications, then safely enable new applications that may be treated differently following the update.
Where can Disable New Apps be found?
You can find this feature in two places:
Inside the WebGUI you will find it under Device > Dynamic Updates, click to the right of the Schedule for Applications and Threats. Device > Dynamic Updates
The Applications and Threats Update Schedule window pops up, where you will see an option to 'Disable new apps in content update,' ONLY WHEN the action is set to download-and-install. If you want to enable it, you will need to select this option and commit the config first.
Alternatively, the option is also available when you have Applications and Threats downloaded, but not installed. In this case just click the Install action from the Dynamic Updates page. You should then get an option to Disable new apps in content update.
You can also find the option under 'Install Application and Threats'
NOTE: When this is enabled and installed, you will receive a message showing the installation of Apps and Threats, along with the list of what apps have been disabled.
If you manually or automatically download the Apps and Threats, but do not install them, then you will see the Install option, as well as Review Apps and Review Policies under the Action column.
Device > Dynamic Updates Page with available options
If you click on ReviewApps, (before installing the Apps and Threats update package), you will see the New and Modified Applications since last installed content window.
Here you will see the new applications listed on the left hand side. To get details about each application, select it on the left.
New and Modified Applications
In the lower right, under options, you will see if the App-ID is enabled for this application or not.
NOTE: If you have selected to disable the new applications, then this will show no (Disabled). Otherwise, it will show yes, and you will have the option to disable or enable this application.
How do I know which new applications have been disabled?
In order to know what new applications have been disabled, you can check this on the Device > Dynamic Update screen by clicking Review Apps as shown earlier.
If you have already installed the new Apps and Threats content with the Disable New Apps option enabled and were not able to review the new apps from the above windows, then you can view this information by going into the Applications window located under Objects > Applications.
In order to see which applications are disabled, click on the dropdown next to all, and select Disabled applications.
Objects > Applications
At the bottom of this window, you will see which applications have been disabled, showing as grey-italicized.
You can then click on the application to see the details:
There are two ways to enable the application:
Select Enable in the application details window as explained above.
Alternatively you can go to the Applications window, select the application and click the Enable option on the bottom of the window:
When you enable the application, you will be presented with the following window telling you that any new applications that are enabled will also enable applications depending on that application. It also gives you an option to enable dependent App-IDs:
I hope that this explains the Disable New Apps option well as it looks somewhat different compared to previous PAN-OS versions.
Are you disabling new apps with content updates? Please share your experience below.