App dependencies - that's creazy!!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

App dependencies - that's creazy!!

L4 Transporter

Hello

Today I have to add MS Lync to be allowed from VPN. Sound simple.

So I add to security rule ms-lync

2014-01-09_164815.png.

but during commit I get warnings:

2014-01-09_165349.png

ok, I added ms-lync-online but I get another warning:

2014-01-09_170459.png

DO I really need to add every particular aplication by hands?

We pay for support and expect easy to use PAN.

Second problem is that I alredy have few security policies that have a list to aplications (from dependencies) that takes a half of my laptop screen.

Why te aplication column show every plaication that is on the list, why after ie. 3 of it doesn't show "...." or "+" that after click will show complete list of aplication?

Please give me advice how to manage this problem

With regards

Slawek

Sorry for my bad english.

12 REPLIES 12

L4 Transporter

With recent versions (don't know exactly when it was introduced) the dependencies are added automatically, but stay hidden.

In my experience you'll probably have to add generic dependencies (web-browsing, ssl). Otherwise there's no traffic to inspect, so app-id will not recognize a particular app.

L7 Applicator

Hello Slawek,

The best way to understand/verify  any application dependencies is Application Research Center.  You can check all application related information here:

Just an example:

Applipedia.JPG.jpg

Applipedia-1.JPG.jpg

Thanks

L4 Transporter

hi slv,

we also have this messages after commits. But, you can ignore them. Lync is also firewalled in our environment and the dependency are really huge... all dependencies are not required!

We are really just allowing what is required and do ignore the messages...

So, don't worry - Dependency is a never ending story Smiley Happy

L2 Linker

I feel like the rule interface could be leveraged better to support Applications/Dependencies.  If there were an icon in each rule's Applications list that could pop up a new window showing dependencies for the included Applications, then a quick 'add all dependencies' button could be provided and perhaps an 'ignore dependency warnings for this rule' button.    The problem with 'just ignoring them' is problematic when the results window becomes dozens or hundreds of lines of these warnings.  It is too easy to miss something important.

just wait for PANOS 6. May there is something new. If not, you have the option to do a feature request. Contact your SE..

Sure.. Just putting it out there so if others feel this is a good idea, we can all knock on that door;)

L4 Transporter

Hi HULK

I don't agree with You. According to applipedia my policy should like:

2014-01-15_132421.png

and I have exactly this aplication in policy, but every commit it complaining about next aplication that's are needed by dependencies. This makes a lot of confusion.

As a Hithead wrote - with thouse 5 aplication MS lync working properly - so why PAN asking for more? maybe this is an issiue?

PA technicians - could you explain us?

Like Frank wrote - we can't ignore every message (but we  will do when we have in many policies dependencies twhich have not been met) during commit. There is a lot of usefull information.


Could someone who is using beta of PAN 6.0 could confirm that in 6.x it will be better solved?

With regards

SLawek

Hi!

Can somebody tell me if this got better with 6.0? I did a quick check of the release notes but couldn't find anything regarding dependencies. It would be really great to have the possibility to just simply include all dependencies for specific rules/apps.

Kind regards,

Franz

I did not hear any improvements at 6.0 for that.

Not applicable

I agree with Hithead...though the warnings should not be taken lightly, they aren't an automatic indication of degradation/failure. Look at what the ARC says about the App/App groups and base your rule off of that. You can then monitor your traffic to verify that no unwanted drops/blocks are occurring.  

You can can and should ignore these dependencies as some of them are not required depending on your context. it's only if you notice that your application is not working as expected that you should  have a look at logs and see what application is being blocked. For example, STUN is listed , but not allowing it will still allow lync to work in 99% of case.

I admit it's a pain to get pages and pages of dependency warnings.

L2 Linker

As far as I know there is no solution for this issue at this time. Some of my customers have hundreds of rules with dependencies and they are unable to read hundreds of warnings every time they make a "commit".

  • 4814 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!