https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226467#M65196 <P>Hi all,</P><P>&nbsp;</P><P>I am consolidating a lot of old, messy URL/App rules written by my predecessors.&nbsp; I have one rule that is the URL filtering rule for "unauthenticated" users (i.e., those that aren't identified by the User Agents.)&nbsp; It allows "any" appliation.</P><P>&nbsp;</P><P>I have other rules that use application sets and custom URL filters, based on user groups.&nbsp; All working fine.</P><P>&nbsp;</P><P>Now,&nbsp;I thought to restrict the services on the URL rules to HTTP &amp; HTTPS.&nbsp; Most of our web browsing is personal, research, etc.&nbsp; We use very few cloud apps, and I can account for those in other rules.&nbsp; I don't want strange, non-standard ports using the URL rules.</P><P>&nbsp;</P><P>When I restricted the services on the "Unauthenticated URL Policy," I caused a bunch of Application Dependency Warnings in the other URL/App rules.&nbsp; OK, fine.&nbsp; I should probably have used "application-default."&nbsp;</P><P>&nbsp;</P><P>Here's my mystery.&nbsp; The exact same change on a different firewall, which has the exact same rules for user browsing (I actually cloned them) does NOT give me Application Depency Warnings.</P><P>&nbsp;</P><P>I'm not saying that the two firewalls have the same rule bases.&nbsp; But these particular rules that I'm working with are all the same.</P><P>&nbsp;</P><P>Can anyone explain this?</P><P>&nbsp;</P><P>Thanks,</P><P>- Steve</P><P>&nbsp;</P> Wed, 08 Aug 2018 15:59:55 GMT stevenkadish 2018-08-08T15:59:55Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226467#M65196 <P>Hi all,</P><P>&nbsp;</P><P>I am consolidating a lot of old, messy URL/App rules written by my predecessors.&nbsp; I have one rule that is the URL filtering rule for "unauthenticated" users (i.e., those that aren't identified by the User Agents.)&nbsp; It allows "any" appliation.</P><P>&nbsp;</P><P>I have other rules that use application sets and custom URL filters, based on user groups.&nbsp; All working fine.</P><P>&nbsp;</P><P>Now,&nbsp;I thought to restrict the services on the URL rules to HTTP &amp; HTTPS.&nbsp; Most of our web browsing is personal, research, etc.&nbsp; We use very few cloud apps, and I can account for those in other rules.&nbsp; I don't want strange, non-standard ports using the URL rules.</P><P>&nbsp;</P><P>When I restricted the services on the "Unauthenticated URL Policy," I caused a bunch of Application Dependency Warnings in the other URL/App rules.&nbsp; OK, fine.&nbsp; I should probably have used "application-default."&nbsp;</P><P>&nbsp;</P><P>Here's my mystery.&nbsp; The exact same change on a different firewall, which has the exact same rules for user browsing (I actually cloned them) does NOT give me Application Depency Warnings.</P><P>&nbsp;</P><P>I'm not saying that the two firewalls have the same rule bases.&nbsp; But these particular rules that I'm working with are all the same.</P><P>&nbsp;</P><P>Can anyone explain this?</P><P>&nbsp;</P><P>Thanks,</P><P>- Steve</P><P>&nbsp;</P> Wed, 08 Aug 2018 15:59:55 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226467#M65196 stevenkadish 2018-08-08T15:59:55Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226494#M65201 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73625">@stevenkadish</a>,</P><P>It's quite possible that the firewall that isn't giving you issues has another security policy higher in the rulebase that isn't causing the same application dependency issues as the traffic is already being allowed by prior rules; you'd really need to look at the entire rulebase to understand why the other one isn't throwing the same validation warnings.&nbsp;&nbsp;</P><P>Also note that application depenceny warnings can be&nbsp;<STRONG>really</STRONG> annoying. For instance if you allow snmpv3 it'll tell you that it depends on snmp-base, however you might never see the traffic come across as snmp-base and therefore the rule as you've configured works perfectly fine. 'Depends on' doesn't really mean that it&nbsp;<EM>needs</EM> to be in the security policy for that security policy to function perfectly fine.&nbsp;</P> Wed, 08 Aug 2018 16:37:12 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226494#M65201 BPry 2018-08-08T16:37:12Z https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226513#M65211 <P><SPAN>Hi,</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Thanks for the response.&nbsp; I did look at the rules above the rules in question.&nbsp; None of them are quite the same mix of conditions, and shouldn’t be matching.&nbsp; I’m still pretty confused about it.&nbsp; Maybe once I get to my final set of rules at the end of this project it will be more clear.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Best,</SPAN></P><P><SPAN>- Steve</SPAN></P> Wed, 08 Aug 2018 20:25:59 GMT https://live.paloaltonetworks.com/t5/general-topics/application-dependency-warnings-different-between-two-firewalls/m-p/226513#M65211 stevenkadish 2018-08-08T20:25:59Z