Deprecation warning: ‘May 2018 Application Classification Update’
search cancel

Deprecation warning: ‘May 2018 Application Classification Update’

book

Article ID: 171630

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When updating policy and compiling policy a deprecation warning occurs.

When updating or compiling policy an error that is similar to this one occurs:

Deprecation warning: 'Hotmail'; 'Hotmail' has been replaced by 'Outlook.com' due to ‘May 2018 Application Classification Update’ and will no longer be accepted after Wed, 1 Jan 2020

Environment

Applies to:

  • Customers with ProxySG/ASG/Virtual SG running SGOS 6.6.3 and later, utilizing Intelligence Services (IS)
  • Customers with ProxySG/ASG/Virtual SG running SGOS 6.7.2 and later, utilizing IS

NOTE: If needing to know about effects when using Webfiltering (BCWF) version, please see the article on that: Warning: Unknown application name

Cause

An enhancement to the Symantec Application Classification feature is scheduled to become effective on May 31, 2018 between 00:00 UTC and 04:00 UTC.

The Application Classification feature is part of:

  • Symantec WebFilter, formerly known as Blue Coat WebFilter (BCWF)
  • Symantec Intelligence Services Standard and Advanced (IS-Standard, IS-Advanced), formerly known as Blue Coat Intelligence Services

This notification contains information to assist customers in assessing the potential impact of these changes on their environments so that they can adjust accordingly.

ProxySG/ASG/Virtual SG Considerations

The renaming and removal of categories will be applied to the Application Classification database on May 31, 2018 between 00:00 UTC and 04:00 UTC.

These enhancements will be released as part of the Application Classification database download and will automatically appear in the policy editor, also known as Visual Policy Manager (VPM).

  •  In all SGOS versions where you maintain policy via the VPM, existing destination objects with references to old application names will no longer list the old applications.
  •  Application policy is case-insensitive. Therefore, for the 10 applications where only case changes were made, no action is needed.

 

Resolution

Policy Changes will be needed for the renamed applications.

When the new application names take effect on May 31, 2018 between 00:00 UTC and 04:00 UTC, policy referencing old application names will continue to function properly, because the old names will be treated as deprecated aliases for the new names when performing policy evaluation.

Policy will still work until the date in the warning (as seen above). Be sure to update policy to reference the correct application name to resolve the issue and to remove the risk of the policy failing in the future.

Action Required


This section is not intended to provide a precise step-by-step list of instructions but rather a high-level overview of how to approach the maintenance window for earlier versions of ProxySG/ASG/Virtual SG. Adjust this process as needed to comply with your organization's change-control and quality-assurance procedures.
 
Preparation

 

  1. Download the test database from Application Update 2018 - Test Database and copy your existing policy to your test environment.
  2. Locate any affected application names that are due to be changed from the KB listed above (http://www.symantec.com/docs/ALERT2545).
  3. Make any necessary adjustments so that all application names reflect the newer names outlined in this document. This is also a good opportunity to remove any policy references to applications that will be removed.
  4. Make sure your policy compiles without any application-name warnings.
  5. Test your policy to ensure that it operates as expected.

 
Maintenance Window

  1. Shortly before the maintenance window on May 31, 2018 between 00:00 UTC and 04:00 UTC, temporarily disable BCWF and BCIS database updates.
    • During the time that the updates are disabled, WebPulse is still operational and providing protection.
    • To disable WebFilter updates from the CLI, enter config mode, content-filter mode, and  bluecoat mode. Enter this command:
    • #(config bluecoat) no download auto
    • To disable Intelligence Services updates from the CLI, enter config mode and then  application-classification mode. Enter this command:
    • #(config application-classification) download url " "
  2. Wait until the Symantec maintenance window ends.
  3. Update your policy according to the changes you made in the Preparation section.
  4. Re-enable the database updates. Your device should download the new database containing the application changes detailed in ALERT2545.
    • To enable WebFilter updates enter config mode, content-filter mode and  bluecoat mode. Enter this command:
    • #(config bluecoat) download auto
    • To enable Intelligence Services updates enter config mode and then  application-classification mode. Enter this command:
    • #(config application-classification) no download url
  5. Make sure your policy compiles without any application name warnings.
  6. Test your policy to ensure that it operates as expected.

 

 
Policy Changes Needed for Removed Applications

 
On May 31, 2018 between 00:00 UTC and 04:00 UTC, removed application names that are referenced in policy will generate a benign warning message as a reminder to update policy. The application name changes will have no impact because they will never have a match, even before the name changes are applied. The warning can be resolved by removing policy that references the removed applications.