App-ID Cloud Engine Processing and Policy Usage
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
App-ID Cloud Engine Processing and Policy Usage
How firewalls download and use App-ID Cloud Engine (ACE)
applications in Security policy.
When the firewall downloads App-ID Cloud Engine (ACE)
App-IDs, it’s important to understand how the firewall handles ACE
App-IDs and how the firewall handles ACE App-IDs when there are
also predefined content-based App-IDs for the same applications.
The Palo Alto Networks content team develops predefined content-based
App-IDs and updates them with modified and new App-IDs through application content updates (a
valid support contract is required for updates).
ACE requires a SaaS Security Inline license.
Firewalls that don’t support ACE have only predefined content-based
App-IDs. The ACE App-ID catalog doesn’t contain content-based App-IDs.
You can only use ACE App-IDs in Security policy rules.
You cannot use ACE App-IDs in any other type of policy rule.
- When the firewall first connects to ACE, the firewall downloads a catalog of the available ACE App-IDs and you can use those App-IDs in Security policy. The firewall does not download the full application signatures, only the catalog. The catalog enables you to specify ACE App-IDs in Security policy even if the applications have never been seen on the firewall. ACE pushes catalog updates to firewalls regularly so that firewalls have access to the latest ACE App-IDs.If an application arrives at the firewall that is identified as ssl or web-browsing and the firewall doesn’t have its signature, the firewall sends the payload to ACE. If ACE has a matching App-ID, then ACE sends the full signature back to the firewall. If the traffic doesn’t match any ACE signatures, then ACE sends the payload to the Machine Learning (ML) engine. The ML engine analyzes the payload and develops a new App-ID in conjunction with the human content team. The ML engine sends the new App-ID to ACE and requesting firewalls can download it and use it in Security policy.Because it can take several minutes to retrieve an App-ID from ACE and longer if a new App-ID must be developed, cloud application detection is not inline on the firewall. The firewall does not wait for a verdict to process the application traffic. The firewall processes the traffic as ssl or web-browsing until it receives an App-ID from ACE.
- When a firewall requests an App-ID from ACE, the firewall continues to process the traffic against the current rulebase until it receives an App-ID from ACE and the App-ID is applied in Security policy.
- The firewall handles ACE App-IDs differently than it handles App-IDs delivered by content updates. You don’t have to examine how new ACE App-IDs affect Security policy before they are installed on the firewall because the firewall handles new ACE App-IDs according to your existing Security policy. Your existing Security policy rules control new ACE App-IDs until you explicitly use ACE App-IDs in Security policy. For example:
- An application is identified only as “ssl” and you have a Security policy rule that allows SSL traffic, so the ssl rule allows that application.
- The firewall sees an application identified as ssl and sends the payload to ACE.
- ACE identifies the actual application. If the application exists in the ACE database, then ACE sends its App-ID to the firewall. If it’s a new application without an ACE App-ID, then ACE forwards the payload to the ML Engine. The firewall does not receive the App-ID until the ML Engine and the human content team assign an App-ID and send it to ACE.
- The rule that allows ssl traffic still allows the newly-identified application, even though its App-ID is no longer “ssl”. (However, if you use the new ACE App-ID in Security policy, that policy controls the traffic. Similarly, traffic previously identified as web-browsing continues to obey the Security policy rules that control web browsing traffic until you use the ACE App-IDs in Security policy.)The exception to this behavior is if another Security policy rule already specifies the App-ID given to the traffic by ACE. The Security policy rule with the specific App-ID takes precedence over the rule with the less specific ssl App-ID. For example, if the firewall identifies an application as ssl and sends the payload to ACE to obtain the granular App-ID. ACE returns the App-ID “app-abc”. The firewall already has a Security policy rule that allows the App-ID “app-abc”, so the application’s traffic now matches that rule.If the rule that specifies the actual App-ID is a block rule, the application is blocked even though there is a rule that allows ssl traffic. The rule with the more specific (granular) App-ID is the one the firewall acts on.
Until you explicitly add new ACE App-IDs to Security policy rules, the firewall controls them with the same rules that controlled those applications before they had ACE App-IDs and were identified as ssl or web-browsing traffic. For example, if the firewall sees an application identified as web-browsing and then receives an ACE App-ID for the traffic, but you don’t use that ACE App-ID in a Security policy rule, then the firewall still controls that traffic using the rule that controls web-browsing traffic—if you block web-browsing traffic, then the traffic is blocked, and if you allow web-browsing traffic, the traffic is allowed. - The firewall caches some information so that the firewall can avoid repeatedly sending data to the cloud and requesting verdicts. If the firewall is waiting for a verdict from ACE, the firewall doesn’t forward the same application data twice.
- On the firewall, a particular container app and its functional applications are either all cloud-based App-IDs or all content-based App-IDs. One App-ID delivery method defines a container app and all of its functional apps.
- If cloud-based, content-provided, and user-defined custom App-ID names overlap, the order of precedence is:
- Custom App-IDs—These App-IDs take precedence over all other App-IDs. If the firewall attempts to download an ACE application with the same App-ID, the commit fails because two applications on the same firewall cannot have the same App-ID.In this case, you can rename the custom application, or if the custom application is the same application as the ACE application, you can delete the custom application and use the ACE application.
- Content-based, predefined App-IDs—These App-IDs take precedence over ACE cloud App-ID definitions.
- ACE cloud App-IDs—Custom and content-based App-IDs take precedence over ACE App-ID definitions.
- If an App-ID matches a container app, the firewall downloads the container app’s App-ID and all of its functional apps. For example, if the firewall retrieves the facebook container app, it also retrieves facebook-base, facebook-chat, facebook-post, etc.
- When you take any of the following actions to add ACE App-IDs to Security policy rules, the firewall no longer matches the application traffic to the ssl or web-browsing rule, it matches the application traffic to the rule that controls the specific App-ID:
- Create Application Filters to automate adding ACE App-IDs to Security policy.Use Application Filters to automate adding ACE App-IDs to Security policy rules. When a new App-ID matches an Application Filter, the firewall automatically adds it to the filter. When you use that Application Filter in a Security policy rule, the rule controls the application traffic for the new App-IDs that were automatically added to the filter. Application Filters are your “Easy Button” for securing ACE App-IDs automatically to gain maximum application visibility and control with minimum effort.
- Add ACE App-IDs to Application Groups.
- Use Policy Optimizer to add ACE App-IDs to a cloned rule or to an existing rule, or to an existing Application Filter or Application Group. You can use Policy Optimizer to create new Application Filters and Application Groups directly from within the Policy Optimizer tool. Use Policy Optimizer’s sorting and filtering tools to prioritize the rules to work on and to assess how many ACE App-IDs match those rules.
- Add an ACE App-ID directly to a new or existing Security policy rule.
When you add a cloud App-ID to a Security policy rule directly or by using an Application Filter or an Application Group, that rule controls the application. - When you create Application Filters, exclude ssl and web-browsing from the filters. Together, ssl and web-browsing match all browser-based cloud applications, so an Application Filter that includes ssl and web-browsing matches all browser-based cloud applications.
- Active/Passive High Availability:
- The Active firewall syncs the ACE catalog to the passive firewall so that they have identical catalogs.
- The Passive firewall does not initiate connections to ACE until it becomes the Active firewall.
- Active/Active High Availability: Each device fetches catalogs and signatures separately, so the catalogs and signatures are not synced. However, commits fail if the catalog is out-of-sync on peers and ACE App-IDs are referenced in Security policy rules. If the catalogs of peer HA firewalls are out-of-sync, wait a few minutes for the updates to reach the devices and become in-sync again.
- A Panorama commit all/push failure to managed firewalls occurs if:
- Managed firewalls do not have a valid SaaS Security Inline license and therefore do not have the ACE catalog. In this case, remove the ACE objects from the pushed configuration and try again.
- The connection between a managed firewall and ACE goes down and the pushed configuration includes applications that are not in the ACE catalog on the firewall. In this case, check the firewall connection to the ACE cloud and re-establish the connection if necessary so that the firewall can update its catalog.The operational CLI command show cloud-appid connection-to-cloud provides the cloud connection status and the ACE cloud server URL.
- The ACE catalog on Panorama and the ACE catalog on managed firewalls is out-of-sync, which results in pushed configurations that include ACE apps that are not in the firewall’s catalog. If the connection between the firewall and ACE is up, the outdated catalog will update in the next few minutes automatically and resolve the issue. (Wait five minutes and try again.)You can use the CLI command debug cloud-appid cloud-manual-pull check-cloud-app-data to update the catalog manually.
- Some Security profiles such as the File Blocking, Antivirus, WildFire, and DLP profiles can specify applications as part of the profile. Only content-provided App-IDs are supported in Security profiles. ACE App-IDs are not supported in Security profiles. ACE App-IDs are intended for use in Security policy rules only.
- Because ACE App-IDs are supported only for Security policy, they are not supported in Application Override, Policy-Based Forwarding (PBF), QoS, or SD-WAN policy rules.You cannot see ACE App-IDs in Application Override or PBF rule configuration. However, ACE App-IDs are visible (able to be selected) in QoS and SD-WAN policy rule configuration and may be present in Application Groups or Application Filters applied to a rule. If you use ACE App-IDs in these rules, the policy doesn’t control the application traffic and there is no effect on the application traffic—the rules do not apply to the ACE App-ID traffic even though ACE App-IDs were added to the rule.