Review New App-IDs
Review new App-ID signatures introduced in a Applications and/or Threats content update. For each new application signature introduced, you can preview the App-ID details, including a description of the application identified by the App-ID, other existing App-IDs that the new signature is dependent on (such as SSL or HTTP), and the category the application traffic received before the introduction of the new App-ID (for example, an application might be classified as web-browsing traffic before a App-ID signature is introduced that uniquely identifies the traffic). After reviewing the description and details for a new App-ID signature, review the App-ID signature impact on existing policy enforcement. When new application signatures are introduced, the newly-identified application traffic might no longer match to policies that previously enforced the application. Reviewing the policy impact for new application signatures enables you to identify the policies that will no longer enforce the application when the new App-ID is installed.
After downloading a new content release version, review the new App-IDs included in the content version and assess the impact of the new App-IDs on existing policy rules:
Review New App-IDs Since Last Content Version
Review New App-IDs Available Since the Last Installed Content Release Version
Select Device > Dynamic Updates and select Check Now to refresh the list of available content updates.
Download the latest Applications and Threats content update. When the content update is downloaded, an Apps link will appear in the Features column for that content update.
Click the Apps link in the Features column to view details on newly-identified applications:
A list of App-IDs shows all new App-IDs introduced from the content version installed on the firewall, to the selected Content Version. App-ID details that you can use to assess possible impact to policy enforcement include: Depends on —Lists the application signatures that this App-ID relies on to uniquely identify the application. If one of the application signatures listed in the Depends On field is disabled, the dependent App-ID is also disabled. Previously Identified As —Lists the App-IDs that matched to the application before the new App-ID was installed to uniquely identify the application. App-ID Enabled —All App-IDs display as enabled when a content release is downloaded, unless you choose to manually disable the App-ID signature before installing the content update (see Disable or Enable App-IDs). Multi-vsys firewalls display App-ID status as vsys-specific. This is because the status is not applied across virtual systems and must be individually enabled or disabled for each virtual system. To view the App-ID status for a specific virtual system, select Objects > Applications, select a Virtual System, and select the App-ID.
Next Steps... Disable or Enable App-IDs. Prepare Policy Updates for Pending App-IDs.
Review New App-ID Impact on Existing Policy Rules
Review the Impact of New App-ID Signatures on Existing Policy Rules
Select Device > Dynamic Updates.
You can review the policy impact of new content release versions that are downloaded to the firewall. Download a new content release version, and click the Review Policies in the Action column. The Policy review based on candidate configuration dialog allows you to filter by Content Version and view App-IDs introduced in a specific release (you can also filter the policy impact of new App-IDs according to Rulebase and Virtual System).
Select a new App-ID from the Application drop-down to view policy rules that currently enforce the application. The rules displayed are based on the applications signatures that match to the application before the new App-ID is installed (view application details to see the list of application signatures that an application was Previously Identified As before the new App-ID).
Use the detail provided in the policy review to plan policy rule updates to take effect when the App-ID is installed and enabled to uniquely identify the application. You can continue to Prepare Policy Updates for Pending App-IDs, or you can directly add the new App-ID to policy rules that the application was previously matched to by continuing to use the policy review dialog. In the following example, the new App-ID adobe-cloud is introduced in a content release. Adobe-cloud traffic is currently identified as SSL and web-browsing traffic. Policy rules configured to enforce SSL or web-browsing traffic are listed to show what policy rules will be affected when the new App-ID is installed. In this example, the rule Allow SSL App currently enforces SSL traffic. To continue to allow adobe-cloud traffic when it is uniquely identified, and no longer identified as SSL traffic.
Add the new App-ID to existing policy rules, to allow the application traffic to continue to be enforced according to your existing security requirements when the App-ID is installed. In this example, to continue to allow adobe-cloud traffic when it is uniquely identified by the new App-ID, and no longer identified as SSL traffic, add the new App-ID to the security policy rule Allow SSL App.
The policy rule updates take effect only when the application updates are installed.
Next Steps... Disable or Enable App-IDs. Prepare Policy Updates for Pending App-IDs.

Related Documentation