Update on the App-ID cache pollution issue

2,023 people reacted 0 1 min. read


Category: Uncategorized


March 2013 update: I wanted give you all an update to the App-ID cache pollution issue that was discovered earlier this year. First off, we should have managed this issue more effectively – we learned from the experience and we will be customer-focused in our comments moving forward. As promised back in January, the App-ID cache function in PAN-OS is no longer used for security policy.

  • PAN-OS 5.0.2 and subsequent releases posted to support site on or after January 15, 2013.
  • PAN-OS 4.1.11 and subsequent releases posted to support site on or after February 6, 2013.

We still recommend that you use the following security policy best-practices:

  • For applications that you are enabling, you should assign a specific port (default or custom).
  • For applications that you explicitly want to block, expand the policy to any port, to maximize the identification footprint.

For any further updates, please work with your local Palo Alto Networks sales team and channel partner.


1 Reader Comment

  1. Avatar

    So you are saying application ports do matter? Nir and the entire marketing of the company has been ports don’t matter. A little bait and switch?!

Got something to say?