https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24226#M17659 <HTML><HEAD></HEAD><BODY><P>We have begun the process of globally allowing some applications for the entire enterprise.&nbsp; At this point, these are (fairly) innocuous applications which are largely dependent on web-browsing / ssl.&nbsp; Two questions:</P><P></P><P>1.&nbsp; When verifying if a dependent application is available, does the firewall check the policy from the top down or just rules below the one you're creating?</P><P></P><P>2.&nbsp; I think part of the issue I'm running into is something that is discussed here: <A href="https://live.paloaltonetworks.com/docs/DOC-7040">Application Dependency Warnings with Allowed Enabler Application</A></P><P></P><P>I have rules up around 20 - 30 that are my URL Filtering rules.&nbsp; So, certain user groups are allowed to certain URL categories via web-browsing (on "any" service).</P><P></P><P>Now, down around rule 150 or so, I have a rule that says, "Globally Allowed Applications" - in here I have a few apps like 'ms-update' and 'flash'.&nbsp; However, once I pushed policy, I'm being told (for example) that:</P><P></P><P>"Application 'flash' requires 'web-browsing' be allowed, but 'web-browsing' is denied in rule "Drop All".&nbsp; <EM>Technically</EM> 'web-browsing' is allowed above.&nbsp; I'm not really a fan of having to allow the applications (especially web-browsing or SSL) globally as this negates our URL filtering policy.&nbsp; </P><P></P><P>Anyone else run into this?</P></BODY></HTML> Fri, 03 Oct 2014 17:52:56 GMT mrsoldner 2014-10-03T17:52:56Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24226#M17659 <HTML><HEAD></HEAD><BODY><P>We have begun the process of globally allowing some applications for the entire enterprise.&nbsp; At this point, these are (fairly) innocuous applications which are largely dependent on web-browsing / ssl.&nbsp; Two questions:</P><P></P><P>1.&nbsp; When verifying if a dependent application is available, does the firewall check the policy from the top down or just rules below the one you're creating?</P><P></P><P>2.&nbsp; I think part of the issue I'm running into is something that is discussed here: <A href="https://live.paloaltonetworks.com/docs/DOC-7040">Application Dependency Warnings with Allowed Enabler Application</A></P><P></P><P>I have rules up around 20 - 30 that are my URL Filtering rules.&nbsp; So, certain user groups are allowed to certain URL categories via web-browsing (on "any" service).</P><P></P><P>Now, down around rule 150 or so, I have a rule that says, "Globally Allowed Applications" - in here I have a few apps like 'ms-update' and 'flash'.&nbsp; However, once I pushed policy, I'm being told (for example) that:</P><P></P><P>"Application 'flash' requires 'web-browsing' be allowed, but 'web-browsing' is denied in rule "Drop All".&nbsp; <EM>Technically</EM> 'web-browsing' is allowed above.&nbsp; I'm not really a fan of having to allow the applications (especially web-browsing or SSL) globally as this negates our URL filtering policy.&nbsp; </P><P></P><P>Anyone else run into this?</P></BODY></HTML> Fri, 03 Oct 2014 17:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24226#M17659 mrsoldner 2014-10-03T17:52:56Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24227#M17660 <HTML><HEAD></HEAD><BODY><P>Hello Mrsoldner,</P><P></P><P>I understand that "web-browsing"{ is allowed in above rules and not in rule 150 where you have allowed "flash". Where flash depends on "web browsing".</P><P></P><P>I think it might be Palo Alto Networks internal thing, were dependent application should be allowed in same rule. So, in traffic logging they can track related log.</P><P></P><P>Again its just a speculation. Even I am waiting for much better explanation on this.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 03 Oct 2014 18:04:45 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24227#M17660 hshah 2014-10-03T18:04:45Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24228#M17661 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>1) if there is a dependent application then firewall will check from top-down whether dependent application is being allowed as mentioned in the document.</P><P>2) My recommendation is to allow web-browsing in policy 150 and apply url filtering profile. Since policies 20-30 are user restricted policies eventhough you allow web browsing in those, rule 150 still need an explicit dependent application allow policy to avoid commit warnings.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P>Hari</P></BODY></HTML> Mon, 06 Oct 2014 22:53:47 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24228#M17661 hyadavalli 2014-10-06T22:53:47Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24229#M17662 <HTML><HEAD></HEAD><BODY><P><STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="21363" data-username="mrsoldner" href="https://live.paloaltonetworks.com/people/mrsoldner" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">mrsoldner</A></STRONG></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;">There are few enabler applications that are allowed implicitly, meaning, you don't have to add them in the policy to allow them explicitly. I believe web-browsing and SSL fall under this list. This implicit allow was something that was introduced in PAN-OS 5.0</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;">Below document might come in handy:</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px;"><BR /></SPAN><A href="https://live.paloaltonetworks.com/docs/DOC-6900">How to Check if an Application Needs to have Explicitly Allowed Dependency Apps</A></P><P></P><P>I am looking for the list of implicitly allowed enabler applications. If I find anything related, i will update this post</P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 06 Oct 2014 23:13:56 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings/m-p/24229#M17662 tshiv 2014-10-06T23:13:56Z