What happens when a previously unknown App-ID gets added to PA through dynamic updates? How are others handling this situation?

Reply
Highlighted
L4 Transporter

What happens when a previously unknown App-ID gets added to PA through dynamic updates? How are others handling this situation?

This is a situation that I brought up at work, that we don't really have an answer to. After I brought this situation up a couple of weeks ago, we actually had this exact problem bite us when an App-ID for SCEP was introduced.

Let's say there's a server in a DMZ VLAN that we have built rules for, using a Palo Alto firewall. Let's say that the app running on the DMZ server is simply identified as "web-browsing" - we know what the actual app is running on that server, but for the time being PA simply sees the app as "web-browsing."

We build rules around this app ID, we allow the Internet to access this DMZ server with that specific App-ID and deny any other traffic (it's in a DMZ... this is an expected need).

At some point in the future, the app ID on this server is identified and a signature is written, in a dynamic update. Let's say we let the firewalls dynamically update once a week.

When this app ID is identified with the new dynamic update, "web-browsing" will no longer apply and the traffic to this production DMZ server will end up being blocked because the app ID 'web-browsing' no longer works.

Does anyone have a sane workaround for this problem? If we start only allowing dynamic updates at specific "change control" windows, we'll stop getting threat updates, right? App-ID updates and threat updates are bundled together, right?


Accepted Solutions
Highlighted
L5 Sessionator

Even though it will require human intervention and going through the Release notes, one possible work around i can think of is to set a THRESHOLD on application and Threat update schedule. If you want the content to update automatically but giving you enough time to go through the release notes. So if for some reason you did not get a chance to go through the Release notes the content will still get updated.

Capture.JPG

since we know that the content update happen weekly you can delay it with threshold.

Antivirus: Daily

Applications and Threats: Weekly (Wednesday)

URL Filtering: Daily

Below is the doc which epxlains the same information as above for update Schedule.

https://live.paloaltonetworks.com/docs/DOC-2902

Hope this helps in some degree to provide you enough time to research on the new updates.

Thank you

Numan

View solution in original post


All Replies
Highlighted
L3 Networker

Yes, you are correct in assuming that if you schedule the dynamic updates to be fetched only during the change controls windows to automatically upgrade the dynamic updates then this problem will not be something to worry about, as you can make changes to your rules based on any updated app after having tested during the change control windows.

Hopr that helps.

Highlighted
L4 Transporter

If the concern is to make sure that if PAN has identified a new app which you are using already but identified till now as "web-browsing" and after the new App updates it is found as a new app, it is natural to lose them as the rules would not permit them.

The best way to avoid this is to check our APP updates ( Application and Threat Content Release Notes ) mail which share all the applications details Modified apps, newly added Apps and app decoder changes and so on. If there is something pertaining to your requirement is addressed you can check your rules and edit them if needed to pass the traffic before any content updates are made.

Highlighted
L5 Sessionator

Even though it will require human intervention and going through the Release notes, one possible work around i can think of is to set a THRESHOLD on application and Threat update schedule. If you want the content to update automatically but giving you enough time to go through the release notes. So if for some reason you did not get a chance to go through the Release notes the content will still get updated.

Capture.JPG

since we know that the content update happen weekly you can delay it with threshold.

Antivirus: Daily

Applications and Threats: Weekly (Wednesday)

URL Filtering: Daily

Below is the doc which epxlains the same information as above for update Schedule.

https://live.paloaltonetworks.com/docs/DOC-2902

Hope this helps in some degree to provide you enough time to research on the new updates.

Thank you

Numan

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!