https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210417#M61466 <P>I would recommend creating a custom url category which you add directly to the security policy rule (not via security profile).</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Apr 2018 19:32:34 GMT Remo 2018-04-16T19:32:34Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210387#M61456 <P>I have created a rule which requires access to Adobe-creative clolud. This application is dependent on SSL and web browsing. Setting this rule to allow aslo grants access to websites like Amazon.com or general internet access.</P><P>Is there a way to make it work just for the particular app? or I am missing something in creating the policy?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="talk.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14759i0DDF3C12BC25A5C1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="talk.JPG" alt="talk.JPG" /></span></P><P>Thanks.</P> Mon, 16 Apr 2018 17:30:02 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210387#M61456 Sanasheikh 2018-04-16T17:30:02Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210411#M61462 <P>Hi Sanasheikh,</P><P>&nbsp;</P><P>You can further lock down http/https access based on URL category.&nbsp; Pretty sure you can use custom URL categories without URL Filtering license if you did not have one.</P><P>&nbsp;</P><P>Hope this helps.</P><P>regards,</P><P>Ben</P> Mon, 16 Apr 2018 18:07:24 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210411#M61462 Ben-W 2018-04-16T18:07:24Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210412#M61463 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78612">@Sanasheikh</a></P><P>&nbsp;</P><P>In some cases it also works without adding the dependencies. You then probably get a commit warning, but it will not allow general webaccess.</P><P>Or as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5754">@Ben-W</a>&nbsp;already pointed out, you can use a custom url category to restrict the access to only Adobe domains. The list with quite a few entries from adobe you can find here:&nbsp;<A href="https://helpx.adobe.com/in/enterprise/kb/network-endpoints.html" target="_blank">https://helpx.adobe.com/in/enterprise/kb/network-endpoints.html</A></P><P>(And yes, using a custom URL category does not require a URL Filtering license)</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Mon, 16 Apr 2018 18:46:35 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210412#M61463 Remo 2018-04-16T18:46:35Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210416#M61465 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5754">@Ben-W</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;I will create a URL category for adobe and hopefully that should fix it. But I am still confused why adding ssl and web-browsing for a specific app allows unwanted internet access. With the current set up I can almost browse anything like amazon.com etc.</P><P>&nbsp;</P><P>We do have a URL Filtering License for our firewall. Should I create a allow/block list and add to this adobe cc policy?</P><P>&nbsp;</P> Mon, 16 Apr 2018 19:28:37 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210416#M61465 Sanasheikh 2018-04-16T19:28:37Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210417#M61466 <P>I would recommend creating a custom url category which you add directly to the security policy rule (not via security profile).</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Apr 2018 19:32:34 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210417#M61466 Remo 2018-04-16T19:32:34Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210418#M61467 <P>Sure, I will do that. So Even though other appliations are not listed, Palo Alto opens up unwanted access if URL Category is not specified.&nbsp;</P> Mon, 16 Apr 2018 19:34:37 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210418#M61467 Sanasheikh 2018-04-16T19:34:37Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210422#M61470 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78612">@Sanasheikh</a>,</P><P>If you are allowing a dependent application within a security rule then it's allowed just as any other application. So if I had a rule that allowed [ ssl web-browsing google-base ] other traffic would still match this rule until/if it was able to be identified as a more specific application.&nbsp;</P><P>Others have already pointed out ways around this so I won't rehash it, but you'll essentially want to pick one method or another to address this.&nbsp;</P> Mon, 16 Apr 2018 19:55:02 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210422#M61470 BPry 2018-04-16T19:55:02Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210428#M61476 <P>The "problem" is that not every application can be recocnized within a few packets. In some cases you first need to allow these dependencies, to allow enough traffic that the firewall will be able to see the adobe cc application. And again in other cases decryption is required to gain this visibility, because without that for example the firewall only sees web-browsing or ssl.</P><P>You actually don't have to allow the dependencies, but as I wrote, in some cases paloalto can only guarantee full functionality of the various apps when you allow these dependencies. As you see this can also have negative/unwanted sideeffects which you can restrict with this solution with the custom url category.</P> Mon, 16 Apr 2018 20:20:37 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/210428#M61476 Remo 2018-04-16T20:20:37Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/211569#M61719 <P>So adding URL filtering or URL category is the solution. Thank you so much for your help everyone. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 24 Apr 2018 17:42:33 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ssl-and-web-browsing-on-dependent-applications-open/m-p/211569#M61719 Sanasheikh 2018-04-24T17:42:33Z