01-19-2013 04:59 AM
According to the release note for PANOS 5.0.2 (released 2013-01-15):
"
47195 – When the App-ID cache feature was enabled in previous releases (enabled by default), it was possible to pollute the cache to allow some applications to pass through the firewall, even when a rule was set to block the application. If you are running an older version of PAN-OS, you can disable the application cache by running set deviceconfig setting application cache no until you can upgrade.
With this update, the App-ID cache will not be used in security policies by default. The following new CLI command has also been introduced to control whether or not the App-ID cache is used: set deviceconfig setting application use-cache-for-identification and is set to no by default.
For more information, please refer to the Security Advisory PAN-SA-2013-0001 at https://securityadvisories.paloaltonetworks.com/
"
Whats the purpose of "use-cache-for-identification" compared to enable/disable app-id cache all together?
According to comments in the security advisory found at the default of "no" for "use-cache-for-identification" in 5.0.2 seems to break things similar to how disabling app-id cache on its own would do (meaning some applications will be identified as unknown). While at the same time if you didnt disable app-id cache in 5.0.1 and update to 5.0.2 the app-id cache will remain active.
01-21-2013 01:26 AM
Hi Mikand:
Before 5.0.2:
5.0.2 and Later:
The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")
Cheers,
Kelly
01-21-2013 01:26 AM
Hi Mikand:
Before 5.0.2:
5.0.2 and Later:
The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")
Cheers,
Kelly
08-15-2013 09:26 AM
Does anybody know what the commands are to view the current settings?
08-15-2013 10:24 AM
Hello Quinton,
Once we have made changes we can look at details on configure mode:
samysu@SamySu# edit deviceconfig setting application
[edit deviceconfig setting application]
samysu@SamySu# show
application {
notify-user yes;
use-cache-for-identification no;
}
[edit deviceconfig setting application]
Hope this helps.
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
