App-ID Cloud Engine tagged applications are showing up on the device even after disabling the feature
3199
Created On 01/31/23 00:35 AM - Last Modified 04/22/24 07:06 AM
Symptom
- App-ID Cloud Engine was enabled and SaaS Security Inline license was installed in the past
- App-ID Cloud Engine is disabled from Device/Panorama > Setup > ACE > Settings section
- SaaS Security Inline license key is also removed from the firewall
- The App-ID Cloud Engine tagged applications are still seen under Object > Application section:
Environment
- Palo Alto Networks Firewalls and Panorama
- PAN-OS 10.1 and above
- App-ID Cloud Engine (ACE)
Cause
The application signatures are retained even after the App-ID Cloud Engine feature is disabled or the the relevant subscription is removed from the firewall.
Resolution
- To remove the non usable App-IDs from device after disabling this feature, Open a case with TAC using Customer support portal.
- When the ACE App-IDs feature is disabled, the APP-IDs remain on the firewall, but the firewall stops enforcing ACE App-IDs in Security policy. This is explained in Impact of License Expiration or Disabling ACE