https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19398#M14169 <HTML><HEAD></HEAD><BODY><P>Yes, Slawek</P><P>For a clean configuration without any warning messages, you would have to add the applications that the PANFW is complaining about.</P><P></P><P></P><P>Best regards,</P><P>Karthik</P></BODY></HTML> Tue, 25 Jun 2013 13:22:04 GMT kprakash 2013-06-25T13:22:04Z https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19394#M14165 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I'm bit confused about dependency ...</P><P>During commit i have:</P><P></P><P>&nbsp;&nbsp;&nbsp; vsys1: Rule 'XXXXXXXXXXX' application dependency warning:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'gmail-base' requires 'imap' be allowed, but 'imap' is denied in Rule 'Scholastycy - deny rest'</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'gmail-base' requires 'pop3' be allowed, but 'pop3' is denied in Rule 'Scholastycy - deny rest'</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Scholastycy - deny rest'</P><P>&nbsp;&nbsp;&nbsp; vsys1: Rule 'YYYYYYYY' application dependency warning:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'msrpc' requires 'ms-ds-smb' be allowed </P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'msrpc' requires 'netbios-ss' be allowed </P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'msrpc' requires 'ms-ds-smb' be allowed </P><P>&nbsp;&nbsp;&nbsp;&nbsp; Application 'msrpc' requires 'netbios-ss' be allowed </P><P></P><P>Both of this rules are working as expected. XXXXXXX allowing sending email from multifunction printer. I'm sure that imap/pop3 isn't nessesary for sending emails.</P><P>The YYYYYYY has aplication: ms-kms. ms-rdp, msrpc and t.120 and this is enought for RDP and activating Office 2010&nbsp; and Windows 7.</P><P></P><P>Do I'm able to stop complaining about it during commit?</P></BODY></HTML> Tue, 25 Jun 2013 12:19:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19394#M14165 _slv_ 2013-06-25T12:19:24Z https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19395#M14166 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Are the PANFWs still in 4.1.x versions? Most of the dependency warning messages are gone under the 5.0.x PANOS versions.</P><P></P><P>You can also find a mention about it under the release notes of 5.0.0:</P><P></P><P>APPLICATION IDENTIFICATION FEATURES</P><P>• Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in </P><P>the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Usually these warnings advise the administrator there is an application configured on a policy that may not function fully because another application (or applications) is needed. For example, if you enable the “facebook-base” application on a policy by itself, you may get an application dependency warning advising that “web-browsing” is required.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">These application dependency warnings are derived from the research of the Palo Alto Networks development team responsible for content. The intent of these warnings is to aid the administrator in properly configuring policies, and avoid any inconsistent behavior by the application.&nbsp; It is important to understand these are just warnings and not errors that will fail your commit.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">The below document explains the causes for getting the dependency warning messages:</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1654">https://live.paloaltonetworks.com/docs/DOC-1654</A></P></BODY></HTML> Tue, 25 Jun 2013 12:44:52 GMT https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19395#M14166 kprakash 2013-06-25T12:44:52Z https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19396#M14167 <HTML><HEAD></HEAD><BODY><P>Also found this in our forums that:</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">The dependencies are only open for the amount of packets needed in order to detect the main application.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">For example where you previously was forced to have both appx and web-browsing open forever you now only add appx and the web-browsing will only be allowed for the amount of packets needed to detect appx, if appx is not detected after this amount then the web-browsing session is denied.</P></BODY></HTML> Tue, 25 Jun 2013 13:06:52 GMT https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19396#M14167 kprakash 2013-06-25T13:06:52Z https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19397#M14168 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I'm using 5.0.5 PAN, warnings related to gmail comes after some automatic update (not after upgrade from 5.0.3 to 5.0.5 in my example).</P><P></P><P>As I understand this is feature and it can't be switched off - I have to get used to or add such aplication to the rules - Do I'm a right?</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Tue, 25 Jun 2013 13:07:11 GMT https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19397#M14168 _slv_ 2013-06-25T13:07:11Z https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19398#M14169 <HTML><HEAD></HEAD><BODY><P>Yes, Slawek</P><P>For a clean configuration without any warning messages, you would have to add the applications that the PANFW is complaining about.</P><P></P><P></P><P>Best regards,</P><P>Karthik</P></BODY></HTML> Tue, 25 Jun 2013 13:22:04 GMT https://live.paloaltonetworks.com/t5/general-topics/dependency-warning-how-to-force-it/m-p/19398#M14169 kprakash 2013-06-25T13:22:04Z