App-ID Cloud Engine
Learn how App-IDs identify unknown SaaS apps.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Panorama or Strata Cloud Manager)
- Prisma Access (Managed by Panorama or Strata Cloud Manager)
|
- SaaS Security Inline license
- NGFW or Prisma Access license
Or any of the following licenses that include the SaaS Security Inline license:
|
App-ID Cloud Engine (ACE) is a service that enables the downloading of App-IDs for
unknown SaaS apps from the cloud. ACE converts unknown apps to known apps, vastly
increases the number of known App-IDs, speeds up the availability and delivery of new
App-IDs, and dramatically increases visibility into apps. App-IDs make it possible to
take action (
enforce policy) on the SaaS apps you define in
SaaS policy rule
recommendations.
ACE requires a
SaaS Security Inline license. Additionally, on
NGFW and
Prisma Access (Managed by
Panorama) you must
enable ACE. However, with a
SaaS Security Inline license, ACE is enabled by default on
Prisma Access (Managed by Strata Cloud Manager).
Traditional, content-delivered App-ID only delivers new apps once per month and you
need to analyze the new App-IDs before you install them to understand changes that they
might make to Security policy rules. The monthly cadence and need for analysis slows
down the adoption of new App-IDs in policy. ACE changes that scenario by providing
on-demand App-IDs for SaaS apps identified as ssl,
web-browsing, unknown-tcp,
and unknown-udp.
Cloud-delivered App-IDs provide specific identification of
ssl, web-browsing,
unknown-tcp, and
unknown-udp apps, which enables you to understand them
and control them appropriately in SaaS Security policy. However, Cloud-delivered App-IDs
don’t identify other types of public apps and don’t identify private and custom
apps.
Cloud App-IDs don’t force you to examine how the new App-IDs affect Security policy
because the firewall uses them according to previously existing Security policy until
you do one of the following:
- Create Application Filters on Prisma Access (Managed by Strata Cloud Manager)
or Application Filters
Prisma Access (Managed by Panorama). Use application filters as often as possible to automate adding
new cloud-delivered App-IDs to Security policy rules. When a new App-ID matches an
application filter, it's automatically added to the filter. When you use an
application filter in a Security policy rule, the rule automatically controls the
application traffic for App-IDs that have been added to the filter. In other words,
application filters are your “Easy Button” for securing cloud-delivered App-IDs
automatically to gain maximum visibility and control with minimum effort.
- Add the App-IDs to application groups.
- Use the Policy Optimizer
Prisma Access (Managed by Strata Cloud Manager) or Policy Optimizer on NGFW
and Prisma Access (Managed by Panorama) to add the App-IDs to a cloned
rule or to an existing rule, or to an existing application filter or application
group. You can also use Policy Optimizer to create new application filters and
application groups directly from within the Policy Optimizer tool.
