topic Re: Supressing Application Dependancy Warnings. in General Topics

Supressing Application Dependancy Warnings.

RobinClayton — Fri, 29 Jun 2018 10:53:11 GMT

On our "SKYPE" rule I have removed web-browsing, this causes dependancy warnings on commit.

I read this "solution"

https://live.paloaltonetworks.com/t5/Management-Articles/Application-Dependency-Warnings-with-Allowed-Enabler-Application/ta-p/55142

But not sure if it's correct or makes the rule insecure?

Rob

Re: Supressing Application Dependancy Warnings.

BPry — Fri, 29 Jun 2018 16:19:51 GMT

@RobinClayton,

So looking at how they did it in the linked article I'm not a big fan of the solution. Yes this would get rid of the commit warnings but they are also allowing 'ssl' and 'web-browsing' across a large number of non-standard ports. Sometimes this is needed when you aren't running ssl-decryption due to which app-ids come across the firewall, but the way they built the rules in this example article they aren't limiting it to a set destination so this would be allowed globally which generally isn't a good idea.

Re: Supressing Application Dependancy Warnings.

RobinClayton — Mon, 02 Jul 2018 08:16:31 GMT

Thought it looked a bit poor.

Will just have to tell my team to ingnore the warnings.

Cheers.

Re: Supressing Application Dependancy Warnings.

BPry — Mon, 02 Jul 2018 17:14:38 GMT

@RobinClayton,

Depending on how your rules are built out it may be a functional option if you could limit the rules exposure either through source address specification or destination address specification. But ya I wouldn't do this globally like the example did if you can't limit the scope of the rule at all.

Re: Supressing Application Dependancy Warnings.

RobinClayton — Tue, 03 Jul 2018 07:54:37 GMT

Since the rule is for SKYPE, source and dest are not fixed (well we limit it to the few PC's that are used for skype), leaving them with unrestricted web-browsing is not an option.

Re: Supressing Application Dependancy Warnings.

jaredkitch — Tue, 03 Jul 2018 16:36:27 GMT

I have been racking my brain trying to figure this out. I am fairly new to palo alto, but it really seems like there should be some way to do this.

We want to have a rule that allows a group of people to do most everything in a browser. The "browser-based" application filter seemed like a perfect solution, but it requires all kinds of other things in order to alleviate the dependency warnings including ftp, smtp, etc. Obviously, this circumvents all kinds of things we don't want to allow.

My worry with "just ignore the warning" is that we will become immune to it and miss something "real" in the future.

(We also had the issue when trying to do skype)

Re: Supressing Application Dependancy Warnings.

BPry — Tue, 03 Jul 2018 18:27:07 GMT

@jaredkitch,

There is an existing feature request for this, so I would reach out to your SE and have them add your vote to it. It's something that people have been asking for, it's just something that doesn't really fit in nicely with the way the validate process is ran.

There is certaintly a small amount of risk with just leaving the dependancy warnings, as you stated people can become immune to it and then miss something that actually does cause issues.

As for the filter that you are trying to build, I primarly recommend that people create a browsing rule that allows browsing for application 'any' with service 'application-default'. You can then build out specific application deny rules, or deny filters, depending on what you actually don't want to allow in your enviroment. Obviously this depends highly on how restrictive your organization is with allowing outside access, but it works for most.

Re: Supressing Application Dependancy Warnings.

RobinClayton — Wed, 04 Jul 2018 08:00:23 GMT

Added my vote to the Feature Request.

Cheers

Rob

Re: Supressing Application Dependancy Warnings.

jhooker — Tue, 17 Jul 2018 00:55:40 GMT

My vote was added to the feature request internally.