App-ID changes to Google apps
Resolution
On 01-December-2015, Palo Alto Networks added a new App-ID named 'google-base,' intended to simplify the safe enablement of Google apps and streamline policy configuration. Follow the FAQ below to learn more about this change and its impact on existing firewall policies. Please see the link to the Discussion forum following this article if you have questions.
Frequently Asked Questions
Q: Why is Palo Alto Networks making this change?
A: Currently, to safely enable Google apps, our customers are required to permit access to dependent App-IDs, 'ssl' and 'web-browsing.' With this change, customers are no longer required to explicitly permit these dependent apps. A new App-ID named 'google-base' will selectively identify baseline services used by all Google apps.
Q: How am I affected by this change?
A: To take advantage of this new capability, firewall policies need to be updated. In lieu of allowing the 'ssl' and 'web-browsing' as dependent apps, this new policy will be required to permit the 'google-base' App-ID. A sample policy is outlined below, which demonstrates the safe enablement of Google Calendar, Gmail, YouTube, and Google Maps with the new 'google-base' App-ID.
Q: How do I guarantee operational continuity to safely enable Google apps?
A: Palo Alto Networks added the 'google-base' App-ID to our application catalog the first week of November 2015. This App-ID, delivered as a placeholder, allows our customers to make any necessary policy changes to their firewalls ahead of time.
This placeholder App-ID will not affect firewall policy processing, or any existing App-ID driven rules. A sample of a transitional policy is illustrated below:
Palo Alto Networks replaced the placeholder application with the formal “google-base” App-ID the first week of December 2015.
To facilitate this transition, Palo Alto Networks intends to follow the timeline outlined below:
- 20-October-2015 – Palo Alto Networks announces a timeline for upcoming changes to the way Google apps will be handled by the firewall.
- Week of 02-November-2015 – Palo Alto Networks delivered a placeholder “google-base” App-ID with weekly Content Apps and Threats update. This can be used to safely update firewall policies and prepare for the announced changes.
- Week of 01-December-2015 – Palo Alto Networks delivered the formal 'google-base' App-ID with weekly Content Apps and Threats update. With this update, the “google-base” App-ID will be fully operational, and now obviates the need to selectively enable 'ssl' and 'web-browsing' as dependent applications. In other words, for any google applications to work 'google-base' has to be allowed in the security rulebase.
Q: When should I expect this change to appear in Applications and Threats Dynamic Updates?
A: Palo Alto Networks delivered the fully operational 'google-base' App-ID with the Content Apps and Threats update on 01-December-2015.
Q: What happens if I do not add google-base as an allowed application but only have "ssl" and "web-browsing" allowed in firewall policies?
A: If you do not have 'google-base' allowed, google applications will not work. Beginning Dec 1, 2015 it is now required to allow 'google-base' for any google applications to work.
Q: What versions of PAN-OS software will be affected by this change?
A: All currently supported versions of PAN-OS software that are updated to a version of Content Apps and Threats update delivered on or beyond 01-December-2015 may be affected by this change.
Q: What is the list of applications that require 'google-base?'
A: The list of applications requiring 'google-base' can be found here: List of applications that require google-base.
Q: Do I need to enable SSL decryption for identifying 'google-base' app?
A: No, SSL decryption is not required for identifying the 'google-base' app itself. However, SSL decryption is still required for any google application running on SSL, like gmail.
Q: Will allowing 'google-base' App-ID also allow other Google apps like youtube-base, gmail-base, etc.?
A: No, any other Google apps like youtube-base and gmail-base, have to be enabled individually based on your security policy settings.
Palo Alto Networks urges all customers to review their firewall policies, and use the placeholder App-ID to make any necessary changes before 01-December-2015.
Questions?
If you have questions about the changes described in this article, please feel free to post in our Discussion forum.