08-12-2013 08:57 AM
This is a situation that I brought up at work, that we don't really have an answer to. After I brought this situation up a couple of weeks ago, we actually had this exact problem bite us when an App-ID for SCEP was introduced.
Let's say there's a server in a DMZ VLAN that we have built rules for, using a Palo Alto firewall. Let's say that the app running on the DMZ server is simply identified as "web-browsing" - we know what the actual app is running on that server, but for the time being PA simply sees the app as "web-browsing."
We build rules around this app ID, we allow the Internet to access this DMZ server with that specific App-ID and deny any other traffic (it's in a DMZ... this is an expected need).
At some point in the future, the app ID on this server is identified and a signature is written, in a dynamic update. Let's say we let the firewalls dynamically update once a week.
When this app ID is identified with the new dynamic update, "web-browsing" will no longer apply and the traffic to this production DMZ server will end up being blocked because the app ID 'web-browsing' no longer works.
Does anyone have a sane workaround for this problem? If we start only allowing dynamic updates at specific "change control" windows, we'll stop getting threat updates, right? App-ID updates and threat updates are bundled together, right?
