Let's talk about the often overlooked feature"Disable new apps in content update," what it looks like in in PAN-OS 10.x and 11.x, and how to use it.
When scheduling recurring downloads and installations for content updates, you can choose to disable new apps in the content update. You might choose to disable a new application included in a content release if you want to avoid any policy impact from an application being uniquely identified (an application might be treated differently before and after a content installation if a previously unknown application is identified and categorized differently).
This option enables protection against the latest threats while giving you some flexibility. For example, you can first prepare policy updates for newly identified applications, then safely enable new applications that may be treated differently following the update.
You can find this feature in two places:
Device > Dynamic Updates
The Applications and Threats Update Schedule window pops up, where you will see an option to 'Disable new apps in content update,' ONLY WHEN the action is set to download-and-install. If you want to enable it, you will need to select this option and commit the config first.
NOTE: When this is enabled and installed, you will receive a message showing the installation of Apps and Threats, along with the list of what apps have been disabled.
If you manually or automatically download the Apps and Threats, but do not install them, then you will see the Install option, as well as Review Apps and Review Policies under the Action column.
If you click on Review Apps, (before installing the Apps and Threats update package), you will see the New and Modified Applications since last installed content window.
Here you will see the new applications listed on the left hand side. To get details about each application, select it on the left.
In the lower right, under options, you will see if the App-ID is enabled for this application or not.
NOTE: If you have selected to disable the new applications, then this will show no (Disabled). Otherwise, it will show yes, and you will have the option to disable or enable this application.
In order to know what new applications have been disabled, you can check this on the Device > Dynamic Update screen by clicking Review Apps as shown earlier.
If you have already installed the new Apps and Threats content with the Disable New Apps option enabled and were not able to review the new apps from the above windows, then you can view this information by going into the Applications window located under Objects > Applications.
In order to see which applications are disabled, click on the dropdown next to all, and select Disabled applications.
At the bottom of this window, you will see which applications have been disabled, showing as grey-italicized.
You can then click on the application to see the details:
There are two ways to enable the application:
Enable Application
When you enable the application, you will be presented with the following window telling you that any new applications that are enabled will also enable applications depending on that application. It also gives you an option to enable dependent App-IDs:
I hope that this explains the Disable New Apps option well as it looks somewhat different compared to previous PAN-OS versions.
Are you disabling new apps with content updates? Please share your experience below.
Thank you for taking time to read this blog!
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
As always, we welcome all questions, comments and feedback in the comments section below.
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 4 Likes | |
| 3 Likes | |
| 3 Likes | |
| 2 Likes | |
| 2 Likes |
| User | Likes Count |
|---|---|
| 11 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
