topic Re: Application filters in General Topics

Application filters

BobW — Wed, 16 May 2012 17:21:52 GMT

I have been trying to use the application filter functionality as I am setting up our PA with little luck. Example being: I would like to allow pretty much everything under "business" systems", "office programs".

First problem I am running into is it does not include the dependcies. OK I can get around that and create an applicatio group for the dependencies.

The second problem is one item has some dependencies which are a bit excessive (SMTP for example) AND these dependencies are for a program my users will never use (ariel in my case).

Unless I am missing something, there does not appear to be a way to create a filter but exclude some items and that programs dependencies.

Does the above sound correct?

If so, is anyone bothering to use the "application filter" option or are you just creating your own groups?

Thanks,

Bob

PS It would be nice to create a filter and exclude certain applications from that filter with a check box per application.

Re: Application filters

mikand — Thu, 17 May 2012 17:06:58 GMT

The tricky part with application filter comparing to custom groups is the danger of new application(s) (you are in the hands of what PA thinks).

Having that said I have heard some rumours that PANOS 5.0 (I think it was) will fix some of the dependency jungle out there for the appid.

Re: Application filters

bstapleton — Tue, 22 May 2012 18:32:52 GMT

We use application filters based on subcategory. When deciding to allow or block a subcategory, we ask ourselves: if Palo Alto created a new application definition that you haven’t heard of before and added it to the subcategory, should it be allowed or blocked?

Then we create application groups for the exceptions in a subcategory. We have about 200 exceptions in our application groups currently.

Re: Application filters

essnet — Tue, 22 May 2012 20:52:44 GMT

I am using a different way : I reviewed all applications once and decided which ones I wanted to ban.

Every week I receive an email from PA with a list newly created apps. I review each of them and decide which ones I want to ban and add them to my application ban group.

Re: Application filters

BobW — Wed, 23 May 2012 15:27:26 GMT

Thanks for your reply. So if I understadn you correctly you have a couple rules:

Deny Banned apps (custom application group)

Allow (Application filter)

How do you handle the dependcies?

Doesn't the above give you a warning when you commit?

Thanks,

Bob

Re: Application filters

BobW — Wed, 23 May 2012 15:32:23 GMT

Thanks.

Can you enlighten me as to the order of your allow and deny rules and what order they are in?

for example: In my case I am trying to, for a single group of users us almost exclusivley allow rules:

Middle school-allow basic apps (app group as defined by myself)

Middle school-allow expanded apps before and after school only (app group as defined by myself)

Middle school deny-deny all apps for middle school users that are no allowed by teh above (mostly for logging purposes)

Thanks

Bob

Re: Application filters

bstapleton — Wed, 23 May 2012 15:50:15 GMT

We're able to work out dependencies by looking at the errors and adding the dependent applications to our allow groups.

It seems we don't have the complexity regarding time of day that you do. Our rule structure is this:

deny Block groups

allow Allow groups and Allow subcategory filters

deny Block subcategory filters

The key is that the Allow subcategory filters and Block subcategory filters never include each other's subcategories, but added together contain all subcategories.

Adding rules for allowing applications for off-hours depends on how much of the application structure changes policy for off-hours. If the differences are just a few apps, I would put a scheduled rule like "allow Allow off-hours groups" before the first rule called deny Block groups.

If I wanted to allow a few subcategory filters for off-hours, I would consider copying the entire structure and placing those rules above the current structure:

deny Block off-hours groups

allow Allow off-hours groups and Allow off-hours subcategory filters

deny Block off-hours subcategory filters

deny Block groups

allow Allow groups and Allow subcategory filters

deny Block subcategory filters

Re: Application filters

BobW — Wed, 23 May 2012 23:30:25 GMT

Thanks for sharing, it is nice to hear what others are doing. I am really struggling with the complexity piece (all have different times and filtering rules):

Lots of international kids.

Lower school

Middle school

Upper school

Boarding students (some are 7x24 with school and personal devices)

Dorm Parents (7x24 with school and personal devices).

Employees (school and personal devices)

Not to mention the guests streaming in and out on weekends and summer....

I could go on, but thus my interest in how others are handling apps and rules.

Bob

Re: Application filters

bstapleton — Thu, 24 May 2012 00:03:53 GMT

Wow - that's a lot of constituencies. Hopefully, you'll find some commonality in the applications and subcategories that you allow and block between the constituencies so you can group the applications easily.

One other thing I thought of for dependencies: we created groups for applications that have tons of them. For ms-rdp, for example, we created a group called ms-rdp_suite and included netbios-ss, netbios-dg, etc. etc.