https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229109#M65872 <P>This might be a dumb question, but I visited 3 clients in the past 2 weeks that did not include application depenendcies in their policy rules</P><P>&nbsp;</P><P>For example, they'll have a rule allowing webex-base, but don't add rtcp, rtp-base, or stun.&nbsp; To be fair, at least 1 of them had a rule that contains an application filter that allows risks 1, 2&nbsp;and 3, so in that regards, they are allowing the applications.&nbsp; When apply a policy, you'll still get the long list of warnings and that's annoying to me. I guess I'm picky <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>How do you all handle it</P> Sat, 01 Sep 2018 19:41:15 GMT ce1028 2018-09-01T19:41:15Z https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229109#M65872 <P>This might be a dumb question, but I visited 3 clients in the past 2 weeks that did not include application depenendcies in their policy rules</P><P>&nbsp;</P><P>For example, they'll have a rule allowing webex-base, but don't add rtcp, rtp-base, or stun.&nbsp; To be fair, at least 1 of them had a rule that contains an application filter that allows risks 1, 2&nbsp;and 3, so in that regards, they are allowing the applications.&nbsp; When apply a policy, you'll still get the long list of warnings and that's annoying to me. I guess I'm picky <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>How do you all handle it</P> Sat, 01 Sep 2018 19:41:15 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229109#M65872 ce1028 2018-09-01T19:41:15Z https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229123#M65874 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71649">@ce1028</a>,</P><P>Ya this one gets kind of annoying because there really isn't a good way to fix it. There's an existing Feature Request to allow the ability to supress these warnings, but at the moment it hasn't been implemented at all.&nbsp;</P><P>That being said, depending on the configuration this really may not be an issue. Say for example they have rules that already allow [ rtcp rtp-base stun ] further along the rulebase, and then a seperate rule for simply webex-base. You'll still get the warnings, but due to the way the firewall actually works when scanning sessions it won't cause any issues at all.&nbsp;</P><P>I've always viewed the warnings as more of a "hey, this might not work the best as configured unless you've already allowed the following".&nbsp;</P> Sat, 01 Sep 2018 23:33:48 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229123#M65874 BPry 2018-09-01T23:33:48Z https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229124#M65875 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;hmmm that would be nice feature. Although if rule1 had [rtcp rtp-base stun] and rule 2 had [web-browsing,ssl,webex-base], the firewall should probably be smart enough to realize you have all you need and not give the warning.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 02 Sep 2018 00:33:28 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-app-depencendies/m-p/229124#M65875 ce1028 2018-09-02T00:33:28Z