topic Re: policy installation proccess in General Topics

policy installation proccess

minow — Thu, 17 May 2012 07:36:21 GMT

hey

i have some policy that gives me warning when i do commit on it so i dont realy understand the policy calculation proccedure, ill be glad if you could explain it to me.

i attached a policy screen shot, when i do install policy i get warnings for example face-book chat that it needs web-browsing and jabber to work.

lets focus about the manage zone, and the TMG is used as a proxy for almost all users.

the first rule is to allow some apps that are being blocked by the second and forth rules, but if we will look at the third rule we can see everything is allowed and going thgough URL, AV etc.. so:

at the first rule i opened facebook chat and on the third rule web-browsing is allowed so why do i get those warnings?

thank you for any help

Re: policy installation proccess

mikand — Thu, 17 May 2012 17:53:50 GMT

Yes, but third rule have different sourcezone ("-Zone" is missing) - I guess thats why you get the dependency warning.

So in your case add web-browsing to the first rule and perhaps expand Block_Application_Filter to block stuff which can be identified as other applications based on web-browsing.

If im not mistaken PANOS 5.x will fix some of the dependency stuff.

Re: policy installation proccess

minow — Fri, 18 May 2012 15:04:31 GMT

but the "-zone" open web browsing on the fifth rule, the reson for this policy is that "-zone" and "maange-zone" should have different url filtering policy.

i still cant uderstand the reason for those warnings.

Re: policy installation proccess

ppatel — Sun, 20 May 2012 21:36:37 GMT

Hi,

I did a quick test on my Palo Alto device and found the same results.

I created a the following rule set:-

1) Name:- Test Rule 1:- From Trust, DMZ to Untrust, Allow: facebook-chat,facebook-base and jabber

2) Name:- Test Rule 2 :- From Trust to Untrust, Allow: web browsing , ssl

3) Name:- Test Rule 3 :- From DMZ to Untrust, Allow: web browsing , ssl

The commit will show us the dependency warning as you see in your case.

I guess since you have created a rule 1 to include 2 source zones in the single rule to allow facebook base,facebook-chat jabber the dependency rule should also include the same 2 source zones.

I do understand your purpose of addidng 2 differnt URL filtering profiles to the two dependency rules.

This can be acheived without any dependency warnings by the following rule Set:-

1) Name:- Exclude_Applications:- From Manage-zone to Any zone with TMG-Manage-Source address Allow facebook base-chat-mail-posting,dropbox etc

2) Name:- Exclude_Applications -2 :- From -Zone to Any zone with TMG-Source address Allow facebook base-chat-mail-posting,dropbox etc

3) Name:- Manage Application Control (No change to that rule)

4)Internet_Manage:- From Manage-zone to Any zone with TMG-Manage-Source address Allow ssl, web-browsing (Add-URL category- 1)

5)YVC_Application Control:- From -Zone to Any zone with TMG-Source address Allow ssl,web-browsing (Add-URL category-2)

You would not be seeing the warnings now. Let me know once you configure it and if that helps.

Regards,

Parth