topic Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT? in General Topics

APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

fhu_omi — Fri, 22 Jan 2021 14:03:11 GMT

Hi There,

I didn't find a real answer for the question, if its nessessary to add "Depends On" Apps in the SAME security rule or is it also possible to add this in the security rules before?

Example for specific app and all "Depends on" in have to be in the same security rule:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK (need to have one of the following apps need to be allowed in the same rule to allow facebook-posting)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClirCAC (last example in the post)
Official Admin Guide, says all depends on Apps have to be in the same rule.
PaloAlto guy statement

And in the other side: Not nessessary or recommendet in the same rule:

https://live.paloaltonetworks.com/t5/general-topics/app-id-doubt/m-p/344365#M86168 (I would generally recommend not including common dependencies directly in your AnyDesk rule, because it's likely already being satisfied in your rulebase.)
If you clone or create a security policy ther is alway an option for "Depends On Application" to add to e existing rule instead only to the same, therefore could it be that this is also intendet to use in this way. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies.html)
Also a demo setup, where in rule 1. is ssl and webbrowsing allowed, and in the 2.only github-base, result in that i can access github

Because of these contradictory statements and the real experiment I am now very confused.

If it is possible to seperate depends on Apps in a rule before as the target App with this dependencies, like my setup. Then is it that the prove that not first rule matches!

i hope somebody can help

Kind regards

Fabio

Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

BPry — Mon, 25 Jan 2021 04:23:40 GMT

@fhu_omi,

You can absolutely separate these out without any issue, as long as the depends on app-ids are allowed somewhere in the rulebase it'll work perfectly fine.

So if you take a look at youtube-streaming for example, it depends on youtube-base. You don't need to include youtube-streaming and youtube-base in the same rulebase entry, and you can separate them into two separate entries and it would work perfectly fine. As soon as the traffic is identified under the new app-id, the firewall will re-scan the security rulebase and match to whatever rulebase entry you have associated with the traffic.

Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

reaper — Mon, 25 Jan 2021 09:02:58 GMT

i concur with @BPry : you don't need to have dependencies in the same rule. I do want to zoom in on your last paragraph to hopefull ylft some more of the condfusion surrounding this topic:

"If it is possible to seperate depends on Apps in a rule before as the target App with this dependencies, like my setup. Then is it that the prove that not first rule matches!"

for every session the rulebase will actually evaluate the security rulebase multiple times:

1. when a SYN packet comes in, only the 6-tuple is available (srcIP,srcZone,dstIP,dstZone,dstPort,Proto) so the apps in rules will be ignored to find a matching rule

2. when the initial app is detected, the rulebase will again be evaluated to see if a rule is found that matches the app (this is where web-browsing, ssl etc are detected as we're only 4-6 packets into a session)

3. as the session passes more packets, the 'app' will start to transmit more payload that can be identified as something more specific, so this could be one of the app-base applications, so the firewall checks if that app matches a rule

4. with even more payload being transferred, an even more specific app can be detected. This is where the apps live that are dependent on a more generic 'parent' app, because it takes so many packets before it can be properly identified. At this stage another rulebase evaluation takes place, so this app can actually sit in a different rule than the above 'parents'

hope this helps

Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

fhu_omi — Fri, 29 Jan 2021 15:48:06 GMT

Hi @reaper and @BPry ,

Ok that makes absolutly sense, thank you very much.

But what happens if i add in every security rule, the desired APPID and the "Parent APPIDs". For example, two seperate security rules with different AppIDs, like 1. pastebin and 2. github, but both have the ssl, web-browsing as depend on (this is only en example, one of them implicity use ssl). If i add ssl and web-browsing in every rule, but with different URL Filters, because i have to restrict in both rules different SubUrlPaths. How is handling this the firewall?

Is there an advantage or disadvantage, if i seperate depends on AppIDs in seperate security rules?

Because a ruleset should be readable, i think an order is good, if i alway need to search where i allow an AppID, then its difficult to read the ruleset. But i don't know if its a bad idee to build up the ruleset with needed depends on AppIDs first in the rulest and then i go more and more sepcific to the desired AppIDs. The rest of the ruleset is like first rule match, from spesific first to more and more general at the end. Now with AppID is this in my point of view the oppsit and i have to combine both methods.

Kind regards

Fabio

Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

BPry — Fri, 29 Jan 2021 16:00:44 GMT

@fhu_omi,

The traffic is going to match the first entry that matches the traffic pattern.

1) If you included ssl and web-browsing in every rule without a URL Category or restricted destination configured, traffic is simply going to match to the first rulebase entry.

2) When you use a URL Category to restrict the traffic, the first rule to do so is going to allow all traffic until the URL can be identified. At that time, the firewall would re-analyze the rulebase and match to the proper rule.

Is there an advantage or disadvantage, if i seperate depends on AppIDs in seperate security rules?

This is just a management/operation decision. I like to create a general internet browsing policy that includes ssl and web-browsing, and then create more specific allowed application entries above that.

Re: APP-ID: Target app and Depends ON APPs over more then one Security Rule! YES or NOT?

fhu_omi — Wed, 03 Feb 2021 08:54:31 GMT

@BPry

Thanks for your answer, that is helping.

If you write "above" then you have the general internet browsing poilcy in the end of the ruleset? Ok, as you said, the position is not relevant with APP ID, only if you have other restriction of the tuple 6 criterias or URL matching criteria. If i understand the flow correct.