cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

App-ID updates break existing rules

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
msullivan
L3 Networker
‎10-07-2013 11:53 AM
‎10-07-2013 11:53 AM

App-ID updates break existing rules

Howdy,

How do most of you manage situations where App-ID updates break functioning rules?  This just happened to me: I have Lync 2010 and the internal clients need to connect to the edge server.  I had a rule in place that allowed ms-lync, ssl, and stun.  That worked fine until last weeks update (396), at which point ssl was now identified as "ms-lync-online".  So the rule started blocking traffic to external clients who shared a resource.  The fix was to observe internal client traffic to the Lync edge server to see that traffic was now denied, then add the application to the list of allowed traffic.

So that is one instance, I bet others out there have found issues too.  What are people doing to protect functioning policies from breaking after app-id updates?

Thanks,

Mike

Labels:
Tags (1)
0 Likes
Reply
Highlighted
ericgearhart
L4 Transporter
‎10-07-2013 12:24 PM
‎10-07-2013 12:24 PM

What happens when a previously unknown App-ID gets added to PA through dynamic updates? How are othe... is a thread I started back in August asking this exact same question. All the answers were basically "use change control and monitor the App-IDs that get added."

How in the world we're expected to remember all the App-IDs in use and somehow just "know" that a new App-ID will identify traffic traversing our firewall I have no idea...

I guess for really business critical "it can never break" rules that you build, you can just use App-ID 'Any' and specific a port in the service column. That's the best thing I can come up with for rules that I build that "can't ever break."

Reply
Highlighted
gheimer
Not applicable
‎10-07-2013 08:44 PM
‎10-07-2013 08:44 PM

Usually I experience this after my first commit.  Usually it is a scramble to quickly put in the new applications to unbreak things before people find out.

Reply
Highlighted
msullivan
L3 Networker
‎10-08-2013 02:47 PM
‎10-08-2013 02:47 PM

Thanks for the reply's.  I guess I'm not alone on this.

@PAN - you need to figure out a way to merge these databases without breaking production environments.  My devices are in a data center, so it isn't pretty when something like this happens.

Mike

0 Likes
Reply
Highlighted
darren.g
L4 Transporter
‎10-08-2013 08:46 PM
‎10-08-2013 08:46 PM

Welcome to my world.

I got bitten by the exact same update - broke my MS-Lync implementation - and added a metric shitload of dependencies into the rule for accessing the edge server from outside.

Best you can do is subscribe to the upgrade notifications, and check every single one before applying the content upgrade. I don't allow my firewall to auto-apply content updates (virus and web filtering fine, but not content) for exactly this reason.

PAN are kind of between a rock and a hard place here - people want new apps identified to give better control - but they can't do that without breaking some older implementations which were basically work-arounds because the app wasn't identified.

Maybe some kind of pre-parsing of content upgrades which checks against affected rules and notifies before applying - like they do if you try and delete an object which is referenced elsewhere - but I don't know how feasible this would be, especially if you've got a lot of rules to check against.

Reply
Highlighted
msullivan
L3 Networker
‎10-09-2013 08:09 AM
‎10-09-2013 08:09 AM

+1

0 Likes
Reply
Highlighted
ericgearhart
L4 Transporter
‎10-09-2013 12:35 PM
‎10-09-2013 12:35 PM

If they broke out App-ID updates from threat updates that would be nice too. I'd like to not be missing threat updates that have come out just because I'm holding off on updating my App-ID version... right now the two are intertwined. I'd rather see them split apart.

Reply
Highlighted
mbutt
L5 Sessionator
‎10-09-2013 04:05 PM
‎10-09-2013 04:05 PM

Hi Mike,

You can always go to the release notes before upgrading. That will have the modified decoders and the latest added or changed applications.

Thank you

Numan

Reply
Highlighted
kalebw
L3 Networker
‎10-09-2013 05:31 PM
‎10-09-2013 05:31 PM

This is about the best option and best description of the circumstances

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks