: App-ID Cloud Engine
Focus
Focus
Table of Contents

App-ID Cloud Engine

Learn how App-IDs identify unknown SaaS applications.
This feature requires the SaaS Security add-on license for your platform.
App-ID Cloud Engine (ACE) is a service that enables the downloading of App-IDs for unknown SaaS applications from the cloud. ACE converts unknown applications to known applications, vastly increases the number of known App-IDs, speeds up the availability and delivery of new App-IDs, and dramatically increases visibility into applications. App-IDs make it possible to take action (enforce policy) on the SaaS apps you define in SaaS policy rule recommendations.
ACE requires a SaaS Security Inline license. Additionally, on NGFW and Panorama Managed Prisma Access you must enable ACE. However, with a SaaS Security Inline license, ACE is enabled by default on Cloud Managed Prisma Access.
Traditional, content-delivered App-ID only delivers new applications once per month and you need to analyze the new App-IDs before you install them to understand changes that they may make to Security policy rules. The monthly cadence and need for analysis slows down the adoption of new App-IDs in policy. ACE changes that scenario by providing on-demand App-IDs for SaaS applications identified as ssl, web-browsing, unknown-tcp, and unknown-udp.
Cloud-delivered App-IDs provide specific identification of ssl, web-browsing, unknown-tcp, and unknown-udp applications, which enables you to understand them and control them appropriately in SaaS Security policy. However, Cloud-delivered App-IDs do not identify other types of public applications and do not identify private and custom applications.
Cloud App-IDs do not force you to examine how the new App-IDs affect Security policy because the firewall uses them according to previously existing Security policy until you do one of the following:
  • Create Application Filters on Cloud Managed Prisma Access or Application Filters on Cloud Managed Prisma Access. Use Application Filters as often as possible to automate adding new cloud-delivered App-IDs to Security policy rules. When a new App-ID matches an Application Filter, it is automatically added to the filter. When you use an Application Filter in a Security policy rule, the rule automatically controls the application traffic for App-IDs that have been added to the filter. In other words, Application Filters are your “Easy Button” for securing cloud-delivered App-IDs automatically to gain maximum visibility and control with minimum effort.
  • Add the App-IDs to Application Groups.
  • Use Policy Optimizer on Cloud Managed Prisma Access or Policy Optimizer on NGFW and Panorama Managed Prisma Access to add the App-IDs to a cloned rule or to an existing rule, or to an existing Application Filter or Application Group. You can also use Policy Optimizer to create new Application Filters and Application Groups directly from within the Policy Optimizer tool.