This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Managing DeepSeek Traffic with Palo Alto Networks App-IDs

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Managing DeepSeek Traffic with Palo Alto Networks App-IDs

jiali
L1 Bithead
‎03-20-2025 11:02 AM

Title_Managing-Deepseek_palo-alto-networks.jpg

 

Blog written by Jiangnan Li, Rakshith Shetty, and Amy Fang.

 

 

In January 2025, DeepSeek gained attention for its model DeepSeek-R1, which showcased a level of proficiency that rivals the well-established OpenAI O1 but much cheaper. Palo Alto Networks customers have shown 1,800% more interest in DeepSeek since the release of DeepSeek-R1. Despite the appealing performance and cost-effectiveness of DeepSeek, it's crucial to consider the potential risks associated with its use in enterprise environments.

 

DeepSeek Security as App-IDs

 

In October 2024, prior to DeepSeek gaining prominence, we released 'deepseek-chat' as a Cloud App-ID, accessible to our AI Access and SaaS Inline customers. As an AI App-ID, 'deepseek-chat' was classified as a high-risk application, earning a risk score of 4. This rating was largely attributed to DeepSeek's methodology of using user data for model training, a practice that could potentially lead to significant data leakage issues within enterprises. Further, DeepSeek is not exempt from common GenAI risks, such as Jailbreaks, as highlighted in recent studies by Unit 42 researchers. These studies emphasize the potential for unpredictable outputs from DeepSeek. The secure management of DeepSeek traffic should be a priority for enterprise security, given the potential threats it could pose.

 

App-IDs Related to DeepSeek 

 

Given the pressing need for secure management of DeepSeek traffic, we have made DeepSeek App-IDs universally available to all our Palo Alto Networks Next-Generation Firewall (NGFW) customers. We released three DeepSeek-related App-IDs in February: deepseek-chat, deepseek-platform and deepseek-api. 

 

deepseek-chat: Covers the traffic of a DeepSeek web-based interface, which is a more general way to use DeepSeek among casual users.

 

deepseek-platform: Covers the traffic of the DeepSeek Platform. Their platform offers a suite of AI products and services designed to integrate advanced language understanding and generation capabilities into various applications. The platform also provides detailed documentation, pricing information and service status updates to assist users and developers in utilizing their AI offerings.

 

deepseek-api: Covers the traffic of all API-related traffic of DeepSeek. DeepSeek provides APIs to enable the access to AI models programmatically. The AI models supported by DeepSeek, like DeepSeek-R1 (deepseek-reasoner) and DeepSeek-V3 (deepseek-chat) can be accessed through DeepSeek APIs. Accurately identifying deepseek-api traffic is crucial to detect services enforced by DeepSeek in the backend and protect potential data leakage.

 

All the three DeepSeek App-IDs are available on NGFWs, as shown in the figure below. They are tagged as generative AI App-IDs with standard port TCP/80,443. All App-IDs can be identified without decryption.

 

Fig 1_Managing-Deepseek_palo-alto-networks.jpg

 

Managing DeepSeek Traffic through Security Policies

 

The three DeepSeek App-IDs enable Palo Alto Networks NGFW customers to flexibly control and manage the accessibility of DeepSeek and give clear visibility of DeepSeek traffic generated from different interfaces. Customers can control the DeepSeek traffic by configuring the associated App-IDs under ‘Application’ of an NGFW security policy, as shown in the below figure.

 

Fig 2_Managing-Deepseek_palo-alto-networks.jpg

The three App-IDs are identified separately, so just blocking one of them cannot block all three App-IDs. The below figure summarizes the expected network behavior when configuring the three App-IDs.

 

Fig 3_Managing-Deepseek_palo-alto-networks.jpg

 

The security policies’ configuration for DeepSeek traffic management through the three App-IDs show different scenarios. In the figure above, Allow means “allow” in the security policy rule and Deny means “deny.”

 

Update to the Latest Content Version to Use DeepSeek App-IDs

 

The three DeepSeek App-IDs were released in Content Version 8948. We would like to note that, to accelerate the coverage, we skipped the common TSID process for DeepSeek App-IDs and the App-IDs will be activated as soon as the Content Version 8948 or later is installed on NGFWs. Check the Pan-OS Upgrade Guide to learn how to update the Content. 

 

As the AI industry continues to evolve and expand, we may witness the emergence of more innovative solutions, like DeepSeek. Palo Alto Networks remains committed to diligently monitoring the latest AI trends and delivering App-IDs for new applications and services. Learn more about the DeepSeek App-IDs on Palo Alto Networks AI Access Security and Application Research Center.

 

Labels:
0 Likes Likes
  • 188 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks