topic Re: Looking for a way to allow an application without allowing all dependencies with no commit warni in General Topics https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/142879#M48613 <P>Hi Joshua</P> <P>&nbsp;</P> <P>The dependency warning will remain as the dependency has not been met</P> <P>You could create a security policy that allows ssh only to a custom category containing all the URL's used by sourceforge:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="url destination.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="url destination.png" /></span></P> <P>&nbsp;</P> <P>this is slightly different from URL filtering as it uses the category as a layer 3 destination match rather than url filtering</P> <P>&nbsp;</P> <P>alternatively, if you know the sourceforge servers, you could add FQDN objects to the destination</P> Tue, 14 Feb 2017 10:33:13 GMT reaper 2017-02-14T10:33:13Z Looking for a way to allow an application without allowing all dependencies with no commit warnings https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/142714#M48582 <P>Issue background:</P><P>We have a policy for Application Whitelist of allowed applications on the internet firewall. &nbsp;SourceForge-Base is one of these applications. &nbsp;SourceForge-Base had dependencies on SSL, Web-Browsing, and SSH. &nbsp;We allow SSL and Web-Browsing, but do not wish to allow SSH to the entire outbound internet. &nbsp;Our users traffic works fine with only SSL and Web-Browsing being allowed in conjunction with SourceForge-Base when they access SourceForge. &nbsp;</P><P>&nbsp;</P><P>Without knowing the IP ranges utilized by SourceForge to allow that in a separate policy by service port, (also without utilizing SSL decryption so an FQDN is not an option), we have no way to allow the traffic other than by application.</P><P>&nbsp;</P><P>Is there a way to hide or suppress persistent application dependency warnings in specific so that a commit can come back without warnings? &nbsp;</P><P>&nbsp;</P><P>Or is there a way to allow SSH only if it is used in conjunction with SourceForge-Base, as in SSH being an Implicit Use Application for SourceForge-Base?</P> Mon, 13 Feb 2017 16:15:32 GMT https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/142714#M48582 JoshuaBolin 2017-02-13T16:15:32Z Re: Looking for a way to allow an application without allowing all dependencies with no commit warni https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/142879#M48613 <P>Hi Joshua</P> <P>&nbsp;</P> <P>The dependency warning will remain as the dependency has not been met</P> <P>You could create a security policy that allows ssh only to a custom category containing all the URL's used by sourceforge:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="url destination.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="url destination.png" /></span></P> <P>&nbsp;</P> <P>this is slightly different from URL filtering as it uses the category as a layer 3 destination match rather than url filtering</P> <P>&nbsp;</P> <P>alternatively, if you know the sourceforge servers, you could add FQDN objects to the destination</P> Tue, 14 Feb 2017 10:33:13 GMT https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/142879#M48613 reaper 2017-02-14T10:33:13Z Re: Looking for a way to allow an application without allowing all dependencies with no commit warni https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143275#M48682 <P>There's an existing feature request for this capability. &nbsp;Please reach out to your Palo Alto Networks Systems Engineer so your request can be tracked.</P> Wed, 15 Feb 2017 20:35:11 GMT https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143275#M48682 jvalentine 2017-02-15T20:35:11Z Re: Looking for a way to allow an application without allowing all dependencies with no commit warni https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143277#M48683 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/22017">@jvalentine</a>&nbsp;&nbsp; Can you provide the FR#?&nbsp; That will save so much time for my SE.</P><P>&nbsp;</P><P>E</P> Wed, 15 Feb 2017 20:47:11 GMT https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143277#M48683 nextgenhappines 2017-02-15T20:47:11Z Re: Looking for a way to allow an application without allowing all dependencies with no commit warni https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143286#M48684 <P>Depending on the exact use case, I'd look at: 1887, 2689, 4131</P> Wed, 15 Feb 2017 21:46:17 GMT https://live.paloaltonetworks.com/t5/general-topics/looking-for-a-way-to-allow-an-application-without-allowing-all/m-p/143286#M48684 jvalentine 2017-02-15T21:46:17Z