05-29-2017 06:54 AM
Hey guys!
I spotted some error messages in the system log of a PA-3020: Disabled applications in vsys1.
After some research I found out that new apps in content updates will be disabled.
My question is: What am I supposed to do now?
Can I enable all disabled apps? Will that have any impact?
Can I enable new apps in content update?
Thanks!
05-29-2017 07:11 AM - edited 05-29-2017 07:11 AM
Hi @MPI-AE,
This is a setting in your Update Schedule :
Hope this helps !
-Kiwi
05-29-2017 07:13 AM - edited 05-29-2017 07:14 AM
Hey kiwi,
yeah, I found that out!
But I would like to know what am I supposed to do now.
I want to get rid of the error system log message.
Can I enable all disabled apps?
Is there any impact?
05-29-2017 07:59 AM
Hi @MPI-AE,
To enable an application, you have 2 ways to do this :
More details on the feature can be found in our featured article :
Tips & Tricks: How to Use Disable New Apps in Content Update
You can review the impact of new App-IDs on existing policy rules which is explained here :
PAN-OS 7.0 new feature - Review of new App-IDs
Cheers !
-Kim.
05-30-2017 01:53 AM - edited 05-30-2017 01:57 AM
Hey @kiwi
thanks for the links.
But I think you didn't completely understand my question.
I know how to enable the apps.
I would like to know if it's dangerous to enable them?
And why (not how!) would I disable new apps in content update?
05-30-2017 02:35 AM
Hi @MPI-AE,
You might choose to disable an application that is included with a new content release version because policy enforcement for the application might change.
For example, an application that is identified as web-browsing traffic is allowed by the firewall prior to a new content version installation; after installing the content update, the uniquely identified application no longer matches the security rule that allows web-browsing traffic. In this case, you could choose to disable the application so that traffic matched to the application signature continues to be classified as web-browsing traffic and is allowed.
Cheers,
-Kiwi.
05-30-2017 05:26 AM - edited 05-30-2017 05:31 AM
Hey @kiwi
I still don't get it!
new apps can't be configured in any policies because there are not present until they are published. ?
And I don't understand your example. How can a application (for example dropbox) not longer matches the security rule?
I mean the name of the app remains "dropbox". ?
And I think the classification shouldn't matter?
And a disabled app doesn't work, does it?
05-30-2017 05:48 AM
Hi @MPI-AE !
There are a couple scenarios where some behavior could change if not anticipated:
-A new application could suddenly get identified and no longer match a security policy (eg. if something that used to be identified as web-browsing now changes into 'app X', it may no longer match the policy)
-In an environment where application filters are used, it might be good to review changes made to the app package before loading the new applications: What are the recommended applications for internet access?
fyi. this setting applies to new applications, not to updates to existing applications
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
