The use of use-cache-for-identification introduced in PANOS 5.0.2?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The use of use-cache-for-identification introduced in PANOS 5.0.2?

L6 Presenter

According to the release note for PANOS 5.0.2 (released 2013-01-15):

"

47195 – When the App-ID cache feature was enabled in previous releases (enabled by default), it was possible to pollute the cache to allow some applications to pass through the firewall, even when a rule was set to block the application. If you are running an older version of PAN-OS, you can disable the application cache by running set deviceconfig setting application cache no until you can upgrade.

With this update, the App-ID cache will not be used in security policies by default. The following new CLI command has also been introduced to control whether or not the App-ID cache is used: set deviceconfig setting application use-cache-for-identification and is set to no by default.

For more information, please refer to the Security Advisory PAN-SA-2013-0001 at https://securityadvisories.paloaltonetworks.com/

"

Whats the purpose of "use-cache-for-identification" compared to enable/disable app-id cache all together?

According to comments in the security advisory found at the default of "no" for "use-cache-for-identification" in 5.0.2 seems to break things similar to how disabling app-id cache on its own would do (meaning some applications will be identified as unknown). While at the same time if you didnt disable app-id cache in 5.0.1 and update to 5.0.2 the app-id cache will remain active.

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Mikand:


Before 5.0.2:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache
  • set deviceconfig setting application cache yes (DEFAULT)
    • Completely enable Application Cache for all applications

5.0.2 and Later:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache for all applications.  This impacts PBF and accuracy of heuristic apps (e.g. bittorrent)
  • set deviceconfig setting application cache yes (DEFAULT)
    • Enable Application Cache.  See next two commands for Application Cache behavior
  • set deviceconfig setting application use-cache-for-identification no (DEFAULT)
    • Application Cache only applies to certain applications that use it for proper App-ID (heuristics) and are not susceptible to poisoning (e.g. bittorrent)
  • set deviceconfig setting application use-cache-for-identification yes
    • Application Cache includes all applications (brings back old behavior)

The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")

Cheers,

Kelly

View solution in original post

5 REPLIES 5

L4 Transporter

Hi Mikand:


Before 5.0.2:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache
  • set deviceconfig setting application cache yes (DEFAULT)
    • Completely enable Application Cache for all applications

5.0.2 and Later:

  • set deviceconfig setting application cache no
    • Completely disable Application Cache for all applications.  This impacts PBF and accuracy of heuristic apps (e.g. bittorrent)
  • set deviceconfig setting application cache yes (DEFAULT)
    • Enable Application Cache.  See next two commands for Application Cache behavior
  • set deviceconfig setting application use-cache-for-identification no (DEFAULT)
    • Application Cache only applies to certain applications that use it for proper App-ID (heuristics) and are not susceptible to poisoning (e.g. bittorrent)
  • set deviceconfig setting application use-cache-for-identification yes
    • Application Cache includes all applications (brings back old behavior)

The new default settings should keep the benefits of the Application Cache (increased App-ID accuracy and PBF) without the cache poisoning risk. Our testing has shown that with normal enterprise traffic patterns there is no significant performance difference when the Application Cache is disabled ("set deviceconfig setting application cache no" or "set deviceconfig setting application use-cache-for-identification no")

Cheers,

Kelly

Thanks! 🙂

L3 Networker

Does anybody know what the commands are to view the current settings?

Hello Quinton,

Once we have made changes we can look at details on configure mode:

samysu@SamySu# edit deviceconfig setting application

[edit deviceconfig setting application]

samysu@SamySu# show

application {

  notify-user yes;

  use-cache-for-identification no;

}

[edit deviceconfig setting application]

Hope this helps.

Hope this helps

Work perfect thanks

  • 1 accepted solution
  • 5900 Views
  • 5 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!