https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47886#M35199 <HTML><HEAD></HEAD><BODY><P>Thats right.</P><P>The warning is normal and can be ignored. There are many applications that also bring up this warning if you use a cleanup-rule as last rule.</P><P>In your scenario it shpuld work as expected like Narong explained.</P><P>You can use application default when working with application groups. Each application will then only work on its default port(s) that are defined in the application-default.</P><P>But why are you using a blacklist? If you define apps that are allowed, all other apps should be denied by default. You do not need a special deny rule. Only allowed traffic should flow.</P></BODY></HTML> Wed, 11 Jun 2014 08:01:08 GMT kbe 2014-06-11T08:01:08Z https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47884#M35197 <HTML><HEAD></HEAD><BODY><P>I have the following scenario I came across and just curious if this is expected behavior. It is recommended when "whitelisting" and application to use the application-default service (so it only works on its default port), or if you are "blacklisting" to use the service "any" (to block the app on any port used). I'm not so sure this works using groups though? Here is an example:</P><P></P><P>Rule 1 - Allowed Exception During Lunch - YouTube - application-default - ALLOW</P><P></P><P>Rule 2 - Whitelist - Application Group which includes SSL etc... - application-default - ALLOW</P><P></P><P>Rule 3 - Blacklist - Application Group to Deny which includes SSL as part of a filter - any&nbsp; - DENY&lt;--use ANY service for deny rules</P><P></P><P></P><P>When I try to commit it gives me a warning that YouTube has a dependency of SSL, which is denied by the Blacklist rule. This doesn't make sense as SSL is allowed in rule 2 so therefore in my mind it "should" work. What am I missing? and when using application groups do you have to leave the service as "any" or can you use the application-default just fine and if you have a list of 5 applications, each one of those will only work on its respective default port.</P></BODY></HTML> Tue, 10 Jun 2014 23:41:12 GMT https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47884#M35197 froggyj 2014-06-10T23:41:12Z https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47885#M35198 <HTML><HEAD></HEAD><BODY><P>I recall that this issue is caused by the commit validation not expanding the search beyond the original rule. However this an error with the validation message, it will not affect the actual traffic. When a session is initiated it will first match the SSL application in Rule 2 and when APP-ID shifts to you-tube the traffic will then match Rule 1.</P><P></P><P>Regards,</P><P>Narong </P></BODY></HTML> Wed, 11 Jun 2014 03:30:38 GMT https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47885#M35198 nchong 2014-06-11T03:30:38Z https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47886#M35199 <HTML><HEAD></HEAD><BODY><P>Thats right.</P><P>The warning is normal and can be ignored. There are many applications that also bring up this warning if you use a cleanup-rule as last rule.</P><P>In your scenario it shpuld work as expected like Narong explained.</P><P>You can use application default when working with application groups. Each application will then only work on its default port(s) that are defined in the application-default.</P><P>But why are you using a blacklist? If you define apps that are allowed, all other apps should be denied by default. You do not need a special deny rule. Only allowed traffic should flow.</P></BODY></HTML> Wed, 11 Jun 2014 08:01:08 GMT https://live.paloaltonetworks.com/t5/general-topics/application-groups-quot-service-quot-in-security-policy/m-p/47886#M35199 kbe 2014-06-11T08:01:08Z