Handling of and Awareness of APP-ID shifts or new releases

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Handling of and Awareness of APP-ID shifts or new releases

L6 Presenter

I'm not sure how much it's been publicized, but there's a pretty significant improvement to how Palo is letting customers handle newly released APP-IDs or application shifts.

 

Thus far when new app-ids are released customers just have to accept them without really understanding if the coming change will effect existing security policy.  Well finally Palo is doing something about it.  Palo will create a "threat" signature that will be fired on a new "to be released" application.  This "threat" alert will inform firewall admins about traffic that while is currently hitting a certain application will match a "to be released" / coming application.

 

Not only will this awareness exist.  Palo is also creating a "Policy Optimizer" of sorts where admins can proactively add these coming applications to existing policy, or even create a new security rule with these new applications.

 

This is an amazing feature that will make handling new app-ids something Palo admins can finally say we have a process for.  (I'm just a long time Palo admin sharing what I hope is some helpful news)

 

I wanted to bring awareness to the below blog post.  It's in an area people might not always look at so I figured I'd share here.

https://live.paloaltonetworks.com/t5/customer-resources/app-id-change-threat-signature-indicator-tsi...

2 REPLIES 2

Community Team Member

Hi @Brandon_Wertz ,

 

This is indeed another step forward !! Thanks for sharing !

 

One did already have the option to disable new applications in scheduled content updates so you weren't necessarily forced to just accept them:

https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-disable-new-applications-in-scheduled-con...

 

Thanks again !

Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Yeah, there are ways, like creating an application filter that targets newly released applications and allows you to create policy, but that's really a guessing game.  Disabling newly released apps is also a way, but that too is just kicking the can down the road and doesn't really allow admins to understand the change of policy implications on their security policy.

None of the existing options, IMO, were what you'd expect from a firewall security appliance.

 

This new feature squarely hits the target on what admins need to do to properly address application changes in a secured way.

  • 5024 Views
  • 2 replies
  • 10 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!