Can someone exsplaine to me like I'm 5 what App-IDs are?

Reply
Highlighted
L1 Bithead

Can someone exsplaine to me like I'm 5 what App-IDs are?

So I need to update my PanOS on my PA-3020, but because I have a mission-critical network I need to avoid downtime as much as possible.  In the walk-through for the PanOS upgrade, it says 'any change a content releases introduces that affects App-ID could cause downtime.'  
I was not fully clear on what an App-ID is, and why it might change from an update.  If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?    

 

Can someone please shed some light on this for me?  
I'm going from PanOS 9, to 10.  

 

Highlighted
L1 Bithead

 
Highlighted
L1 Bithead

*explain

Highlighted
Cyber Elite

@AndrewPaloAlto,

App-IDs are a collection of identifiable information (traffic signatures, protocol decoding, heuristics) which is able to identify traffic to a particular application without relying solely on port information like in older L4 deployments. These are updating constantly because the applications themselves don't stay the same, or PAN removes false-positives or expands coverage of an app-id so that it properly identifies even more traffic. 

An example on why this can cause an outage would be if I configured a security rulebase entry that allowed the app-id SSL over a service object that maps to tcp/636. If a future content update expands coverage of the app-id ldap so that it starts matching traffic within my environment, I would no longer have a security rulebase entry that would allow the traffic to pass. IE: A rule allowing ssl on tcp/636 wouldn't allow traffic being identified as ldap on tcp/636 because the rule no longer matches the traffic. 

 

If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?

This question is unclear in what you are actually asking. What exactly do you mean when you say that you have rules in place regarding allowing some configured alerts? Configured alerts for what, the firewall or some industrial equipment? App-IDs are the applications that you specify within the security rulebase entires; some of these are application containers which are made from multiple individual app-ids, but that's getting slightly into the weeds of things. 

Highlighted
Cyber Elite


@AndrewPaloAlto wrote:

So I need to update my PanOS on my PA-3020, but because I have a mission-critical network I need to avoid downtime as much as possible.  In the walk-through for the PanOS upgrade, it says 'any change a content releases introduces that affects App-ID could cause downtime.'  
I was not fully clear on what an App-ID is, and why it might change from an update.  If I have a few rules in place regarding allowing some configured alerts, are those configured alerts considered App-IDs?    

 

Can someone please shed some light on this for me?  
I'm going from PanOS 9, to 10.  

 


I think what you're referring to is what might happen if Palo Alto adds to or changes how an "application" is identified by the firewall.  Palo Alto uses multiple identifying characteristics of network traffic to create an "application" definition.

 

For instance on 7-23-2020, Palo Alto released application updates which changed how some applications are identified.  Before this release traffic would have been seen simply as "cip-ethernet-ip-base" after this update the same traffic which the firewall saw could further be identified by the following applications:

 

cip-ethernet-ip-disable-io (functional)
cip-ethernet-ip-disable-sfc (functional)
cip-ethernet-ip-enable-io (functional)
cip-ethernet-ip-enable-sfc (functional)
cip-ethernet-ip-read-mod-write (functional)
cip-ethernet-ip-read-tag (functional)
cip-ethernet-ip-read-tag-frag (functional)
cip-ethernet-ip-run (functional)
cip-ethernet-ip-stop (functional)
cip-ethernet-ip-test-mode (functional)
cip-ethernet-ip-write-tag (functional)
cip-ethernet-ip-write-tag-frag (functional)

 

So if you wrote a rule that ONLY allow the previous application of cip-ethernet-ip-base, after the application update download to your firewall it's entirely possible these new applications wouldn't have been allowed since they weren't previously allowed in your security policy.

Highlighted
L6 Presenter

By the way, you  will not be able to upgrade 3020 to panos 10.

9.1.x supported but 10 not.

 

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!