topic Re: A quick application based policy query in General Topics

A quick application based policy query

AndrewHenderson — Wed, 21 May 2014 17:38:37 GMT

Hi,

I'm trying to better understand application policies and their dependencies and have a question I'm hoping someone can clear up for me. Lets for example say I'm trying to allow users access to an application which has SSH as a dependency. Lets also say that I cannot limit the untrusted endpoints the users can get to using this app policy because the endpoints are CDN based so the IP range is vast and forever changing. My policy is therefore as follows:

Trust Any to Untrust Any - Allowed Apps: Original App + SSH due to the original apps dependency requirement

I assume with the above policy in place everyone can now use SSH from a trusted host to untrusted host whether they use the original app or not? How do I allow the original application to work but not give everyone SSH outbound access to everything at the same time? Am I misunderstanding the whole concept here?

Your help is greatly appreciated.

All the best

Andy

Re: A quick application based policy query

HULK — Thu, 22 May 2014 16:03:43 GMT

Hello Andiehuk,

Could you please let us know the name of the application, you are trying to add here in your PAN firewall.

The most common example is web browsing ( as a dependent application for facebook) that transitions into "Facebook" and then this further transitions into "Facebook chat". If a user is blocked from web-browsing then they will never transition to a more specific aplication. Each time an application transitions to something more specific it is passed through the list of security rules again to see if it should be handled by a different security policy.

Thanks

Re: A quick application based policy query

AndrewHenderson — Wed, 28 May 2014 19:33:48 GMT

Hi Hulk,

Thanks for the reply. Lets say the app is Fasp. I need to allow SSH to any for Fasp to work to any. This then means unless I'm misunderstanding something here that SSH is now available to anywhere whether the user is using fasp or not.

All the best

Andy

Re: A quick application based policy query

HULK — Thu, 29 May 2014 02:36:41 GMT

Hello Andy,

Let me clarify for you. If you enable Application FASP in your security policy, then it will explicitly allow the underlying dependent application SSH. But, that does not mean, the source IP's (users) will be able to access SSH application ( i.e putty, remoteNG etc) . Only if the traffic is coming in conjunction with the parent application FASP, then only the firewall will allow the traffic through it.

NOTE: With PAN-OS 5.0.0 software and above, we can now allow an application in security policy without the need to explicitly allow the underlying protocol dependency (for most protocols) . This is supported only if the application can be identified within a pre-determined point in the session. Applications that qualify for this PAN-OS feature will have this support enabled in the Content version starting onwards 323.

I did a test on my LAB:

Security RULE-1

Source IP- 1.1.1.1

destination IP-2.2.2.2

Application FASP

Action -Allow

Security RULE-2

Source IP- 1.1.1.1

destination IP-2.2.2.2

Application ANY

Action -Deny

While trying to access IP 2.2.2.2 through SSH ( putty) from IP 1.1.1.1, it's falling under RULE-2 and traffic is getting denied by the PAN firewall.

Hope this helps.

Thanks

Re: A quick application based policy query

AndrewHenderson — Fri, 30 May 2014 13:08:47 GMT

Hi,

Thank you for your explanation Hulk, very much appreciated. When an app can allow it's dependents automatically then these apps should not be appearing in the info popup after you do a commit. For example...

Application 'fasp' requires 'ssh' be allowed, but 'ssh' is denied in Rule '180 DENY ALL TESTING'

The DENY ALL TESTING rule which has been picked up here is way below the FASP rule and doesn't specifically mention SSH. I had read about Apps and their dependencies being allowed however I assumed if it's mentioned at the commit stage then it must be an App that cannot take advantage of that feature. Perhaps PA should rethink that part a little. Adding the info into the app db stating it can allow dependencies automatically would also help somewhat.

All the best

Andy