Create a security policy rule that allows critical App-IDs
(like authentication or software development applications) as they’re
installed. This gives you the flexibility to get the latest threat
prevention without worrying about how the accompanying new App-IDs
impact security policy enforcement.
New App-IDs can cause a change in policy enforcement
for traffic that is newly-identified as belonging to a certain application.
To mitigate any impact to security policy enforcement, you can use
the New App-ID characteristic in a security
policy rule so that the rule always enforces the most recently introduced
App-IDs without requiring you to make configuration changes when
new App-IDs are installed. The New App-ID characteristic always
matches to only the new App-IDs in the most recently installed content
releases. When a new content release is installed, the new App-ID
characteristic automatically begins to match only to the new App-IDs
in that content release version.
You can choose to enforce
all new App-IDs, or target the security policy rule to enforce certain
types of new App-IDs that might have network-wide or critical impact
(for example, enforce only authentication or software development
applications). Set the security policy rule to Allow to
ensure that even if an App-ID release introduces expanded or more
precise coverage for critical applications, the firewall continues
to allow them.
New App-IDs are released monthly, so a policy
rule that allows the latest App-IDs gives you a month’s time (or,
if the firewall is not installing content updates on a schedule,
until the next time you manually install content) to assess how
newly-categorized applications might impact security policy enforcement
and make any necessary adjustments.