Update on the App-ID cache pollution issue

Category: Uncategorized

March 2013 update: I wanted give you all an update to the App-ID cache pollution issue that was discovered earlier this year. First off, we should have managed this issue more effectively – we learned from the experience and we will be customer-focused in our comments moving forward. As promised back in January, the App-ID cache function in PAN-OS is no longer used for security policy.

  • PAN-OS 5.0.2 and subsequent releases posted to support site on or after January 15, 2013.
  • PAN-OS 4.1.11 and subsequent releases posted to support site on or after February 6, 2013.

We still recommend that you use the following security policy best-practices:

  • For applications that you are enabling, you should assign a specific port (default or custom).
  • For applications that you explicitly want to block, expand the policy to any port, to maximize the identification footprint.

For any further updates, please work with your local Palo Alto Networks sales team and channel partner.


1 Reader Comment

  1. So you are saying application ports do matter? Nir and the entire marketing of the company has been ports don’t matter. A little bait and switch?!

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.