Update on the App-ID cache pollution issue

March 2013 update: I wanted give you all an update to the App-ID cache pollution issue that was discovered earlier this year. First off, we should have managed this issue more effectively – we learned from the experience and we will be customer-focused in our comments moving forward. As promised back in January, the App-ID cache function in PAN-OS is no longer used for security policy.

• PAN-OS 5.0.2 and subsequent releases posted to support site on or after January 15, 2013.
• PAN-OS 4.1.11 and subsequent releases posted to support site on or after February 6, 2013.

We still recommend that you use the following security policy best-practices:

• For applications that you are enabling, you should assign a specific port (default or custom).
• For applications that you explicitly want to block, expand the policy to any port, to maximize the identification footprint.

For any further updates, please work with your local Palo Alto Networks sales team and channel partner.

Nir