topic Re: commit status warning on rules that are working the way I want them too in General Topics

commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 15:48:40 GMT

I have a rule that has webex enabled but dones not have ssl enabled and i keep getting a warning on that rule when i commit that says "Applicaiton 'webex-desktop-sharing requires ssl be allowed? But I don't want to allow ssl, so how can I get rid of these warnings so i can tell when i have a legitimate commit warning?

Re: commit status warning on rules that are working the way I want them too

Remo — Thu, 29 Mar 2018 16:09:20 GMT

I hope there is a solution but I asume there isn't ... some applications simply have a dependency to others. So even if it works in most cases there might be some edge cases where the firewall first sees ssl and after some more packets thw app changes to webex. So in these cases it could be that it won't work with allowing only webex...

Hopefully there is a way, cause the commit warnings I have are growing and growing ...

Re: commit status warning on rules that are working the way I want them too

Mick_Ball — Thu, 29 Mar 2018 16:09:39 GMT

ssl is a dependency of the webex desktop sharing application...

according to this doc... https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-is-Application-Dependency/ta-p/54270

it states...

If you do not allow the application and its dependency through the Palo Alto Networks firewall, then the application will not work.

Re: commit status warning on rules that are working the way I want them too

Mick_Ball — Thu, 29 Mar 2018 16:10:42 GMT

sorry, answered after @Remo...

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 16:27:07 GMT

@Remo @Mick_Ball

thing is it does work and I would think it shouldn't , for instance this is in the commit warning

Application 'google-plus-base' requires 'google-base' be allowed

And this is what it says in the applicatiion info - google-play standard ports 443,5227,80,tcp,udp

Then I look in the traffic and unless I am reading this wrong it is work even though ssl is not allowed so to speak

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 16:21:04 GMT

@Mick_Ball @

Actually I think it is working that is why I am surprised, look at my reply to remo

Re: commit status warning on rules that are working the way I want them too

Remo — Thu, 29 Mar 2018 16:28:19 GMT

@jdprovine

I know it works, thats why I have endless commit warnings 😛

Exactly like your initial example. You only want to allow webex but not general ssl access to everywhere ...

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 16:32:07 GMT

@Remo

Yeah and the impression from the commit warning is that it should not work without ssl but it does, because the ssl port 443 is allowed, from what I see

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 16:53:07 GMT

@Remo @Mick_Ball

So I guess I want away to clean up my commit status errors without having to add ssl to a rule that I don't want ssl enabled on.

Re: commit status warning on rules that are working the way I want them too

Mick_Ball — Thu, 29 Mar 2018 16:54:23 GMT

ok so having added the dependencies to the webex desktop sharing policy, the warnings have gone...

is this a problem, will it not only use these dependencies for webex desktop and nothing else...

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 16:57:33 GMT

@Mick_Ball

I know that giving it what it wants to make the commit status errors go away but I don't want ssl on those rules at all

Re: commit status warning on rules that are working the way I want them too

Remo — Thu, 29 Mar 2018 17:08:32 GMT

@Mick_Ball

No, if you add these dependencies then the firewall also allows these apps independently.

So ...

Allowing just webex --> working solution but commit warning
Allowing webex with dependencies --> webex works but also general webaccess and the commit warning is gone

Or ...

Secure solution --> commit warning
Insecure solution --> no commit warning

Re: commit status warning on rules that are working the way I want them too

Mick_Ball — Thu, 29 Mar 2018 18:09:09 GMT

@jdprovine, @Remo. Sorry... its been a long day.... i feel so stupid.

i thougt i was adding the dependencies into a different section of the policy, not into the same app section of the policy as webex desktop...

i feel this will not be marked as a solution.....

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 18:34:00 GMT

@Mick_Ball

No problem Mick you always give it your best, this is just a weird situation

Re: commit status warning on rules that are working the way I want them too

hshawn — Thu, 29 Mar 2018 18:57:26 GMT

OK, we see this all the time. One thing to keep in mind is the application/traffic may work without the dependencies *but* some components of it may not work and you may not notice or the app may fall back onto something else if it fails one piece.

Here is what we try to do and a lot of people forget they can do this:

* Setup your security policy and add the dependencies

* validate the commit does not have any dependenciy warnings

* Scope the policy down to specific destinations (if possible) or use a URL category in the policy, using a URL category will at least make it so users will not hit this policy for all web browsing and hopefully only hit it for the application/URL catgories specified

for example we have exceptions to allow people to hit online file storage junk (box, dropbox,etc) so aside from the user having to be in the proper AD group for the exception the destination also has to be one related to the exception and/or the URL category has to match, otherwise they will hit the standard web traffic policy.

the web-browsing and ssl applications will be a pain no matter what (try locking down slack and have fun)

Re: commit status warning on rules that are working the way I want them too

jdprovine — Thu, 29 Mar 2018 19:11:55 GMT

@hshawn

Interesting information , we know what we do and don't want to allow and we have decided to not allow ssl, so you would think if you didn't allow a dependencies it should not work but.... when I look in the logs it works just fine and even though I havent allowed ssl or web -browsing I can see it using port 80 and port 443. My first thought is that either the application isn't defined enough or my rule is not. I could fix it by adding the dependency to the rule or in this case ssl, but I don't want it allowed.

I have a specified source and destination zone, specific source IP, it confined to only two specific regions, specific application s(set to application default)

Re: commit status warning on rules that are working the way I want them too

jdprovine — Mon, 02 Apr 2018 18:42:29 GMT

Okay i am still tracking this for a solution and I got this today in the commit status but i clearing see google-play traffic in the traffic logs.

commit status

Application 'google-play' requires 'google-base' be allowed and i can clearly see spotified traffic in the traffic logs

And I also have this in the commit status

Application 'spotify' requires 'ssl' be allowed

Re: commit status warning on rules that are working the way I want them too

gwesson — Mon, 02 Apr 2018 18:53:09 GMT

Sometimes App-ID can determine that the app is google-play without using the application dependencies, so you're able to see the app. An example is one where the client is sending the Client Hello with "play.google.com" in the server_name extension, so it's easy to tell.

But other times the user would have already been logged into google, and the check is against "accounts.google.com". Unless you're doing SSL decryption, you can't see the actual encrypted request to the play store. If you can't see that it's google play and you haven't allowed SSL anywhere in your security policy, there will be situations where a user is denied going to google play but other times it works fine.

The commit warning could probably be "application 'google-play' requires 'google-base' to be allowed for reliable detection of 'google-play'", but that may just be too wordy and may even generate more questions about what specific scenarios will cause it to be matched versus not. It's much simpler to state the dependency as a requirement, even if there are conditions that will sometimes allow for detection.

Re: commit status warning on rules that are working the way I want them too

BPry — Mon, 02 Apr 2018 19:00:26 GMT

It's sometimes hard to actually lay out the application dependency simply due to the fact that some users utilize SSL-Decryption and others don't. There are quite a few apps that the dependency isn't as necissary when running SSL-Decryption, but it needs to be there for people who are not utilizing that feature.

Re: commit status warning on rules that are working the way I want them too

jdprovine — Mon, 02 Apr 2018 19:06:26 GMT

@gwesson

So in other words it can be hit or miss, that doesn't sound good. But my biggest issue is that i want to clean up the commit status message and I was thinking if I am not allowing it, via dependencies, it just shouldn't work