https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49268#M36289 <HTML><HEAD></HEAD><BODY><P>Thank you.</P><P>App dependency is always challanging! <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 30 Aug 2011 08:33:47 GMT migration 2011-08-30T08:33:47Z https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49266#M36287 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I tested this strange (imho) behaviour with PAN 2020 4.0.3:</P><P></P><P>1. create a first security policy with ssl, http-proxy, dns but without web-browsing application (as you can see in 1.jpg) with action ALLOW</P><P></P><P></P><P>2. create a following security policy with facebook application and action DENY</P><P></P><P></P><P>3. create a final security policy for all other outbound traffic, with action ALLOW ALL for all applications but with a Custom URL Profile that blocks facebook (as you can see in 2.jpg) - all other Sec. Profiles are in alert mode.</P><P></P><P></P><P>(and obviously commit the configuration <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />)</P><P></P><P></P><P>when I try to go to www.facebook.com from my client (the source address of the rules) I get blocked by URL Profile (4th rule) and not by application signature present in the 2nd rule - <EM><STRONG>first match is not respected</STRONG></EM></P><P></P><P></P><P>If I add web-browsing application in the 1st rule (point 1) and retry to go to www.facebook.com, this time I get blocked by application signature present in 2nd rule - <EM><STRONG>this time first match is respected</STRONG></EM></P><P></P><P></P><P>If I delete the URL Profile from rule 4 and I delete web-browsing application from 1st rule, I get blocked correctly by the 2nd rule</P><P></P><P>Why this behaviour?</P><P></P><P></P><P>Thanks in advance</P></BODY></HTML> Mon, 29 Aug 2011 09:23:27 GMT https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49266#M36287 migration 2011-08-29T09:23:27Z https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49267#M36288 <HTML><HEAD></HEAD><BODY><P> Hi Iceman,</P><P></P><P>It is expected.</P><P></P><P>In order to understand your observation, you need to understand our app-id design and app dependency.</P><P></P><P>Although we have app-id for facebook, but during the life of a facebook session, the initial packet of facebook is actually first recognized as web-browsing before we identify it as facebook. If you are running the facebook app through an explicit proxy, the traffic will be first identified as web-browsing, then http proxy followed by facebook.</P><P></P><P>So in order to allow facebook, you need to allow web-browsing, http proxy and facebook- and this is called app dependency.</P><P></P><P>For case1, web-browsing is blocked by your URL filtering so facebook cannot work.</P><P></P><P>For case2, web-browsing and http proxy are allowed but facebook itself is not and that's why facebook cannot work.</P><P></P><P>For case3, if you deleted the URL filtering, web-browsing will be allowed by the last policy, http proxy will be allowed by 1st policy, but finally facebook will be blocked by 2nd policy.</P></BODY></HTML> Tue, 30 Aug 2011 03:29:17 GMT https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49267#M36288 jleung 2011-08-30T03:29:17Z https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49268#M36289 <HTML><HEAD></HEAD><BODY><P>Thank you.</P><P>App dependency is always challanging! <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 30 Aug 2011 08:33:47 GMT https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49268#M36289 migration 2011-08-30T08:33:47Z https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49269#M36290 <HTML><HEAD></HEAD><BODY><P> Yes sometimes.</P><P></P><P><img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 30 Aug 2011 13:04:37 GMT https://live.paloaltonetworks.com/t5/general-topics/apps-vs-url-profile-block-application/m-p/49269#M36290 jleung 2011-08-30T13:04:37Z