Supressing Application Dependancy Warnings.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Supressing Application Dependancy Warnings.

L4 Transporter

On our "SKYPE" rule I have removed web-browsing, this causes dependancy warnings on commit.

 

I read this "solution"

 

https://live.paloaltonetworks.com/t5/Management-Articles/Application-Dependency-Warnings-with-Allowe...

 

But not sure if it's correct or makes the rule insecure?

 

Rob

8 REPLIES 8

Cyber Elite
Cyber Elite

@RobinClayton,

So looking at how they did it in the linked article I'm not a big fan of the solution. Yes this would get rid of the commit warnings but they are also allowing 'ssl' and 'web-browsing' across a large number of non-standard ports. Sometimes this is needed when you aren't running ssl-decryption due to which app-ids come across the firewall, but the way they built the rules in this example article they aren't limiting it to a set destination so this would be allowed globally which generally isn't a good idea. 

Thought it looked a bit poor.

 

Will just have to tell my team to ingnore the warnings.

 

Cheers.

@RobinClayton,

Depending on how your rules are built out it may be a functional option if you could limit the rules exposure either through source address specification or destination address specification. But ya I wouldn't do this globally like the example did if you can't limit the scope of the rule at all. 

Since the rule is for SKYPE, source and dest are not fixed (well we limit it to the few PC's that are used for skype), leaving them with unrestricted web-browsing is not an option.

 

 

L0 Member

I have been racking  my brain trying to figure this out. I am fairly new to palo alto, but it really seems like there should be some way to do this.

 

We want to have a rule that allows a group of people to do most everything in a browser. The "browser-based" application filter seemed like a perfect solution, but it requires all kinds of other things in order to alleviate the dependency warnings including ftp, smtp, etc. Obviously, this circumvents all kinds of things we don't want to allow.

 

My worry with "just ignore the warning" is that we will become immune to it and miss something "real" in the future.

 

(We also had the issue when trying to do skype)

@jaredkitch,

There is an existing feature request for this, so I would reach out to your SE and have them add your vote to it. It's something that people have been asking for, it's just something that doesn't really fit in nicely with the way the validate process is ran. 

There is certaintly a small amount of risk with just leaving the dependancy warnings, as you stated people can become immune to it and then miss something that actually does cause issues. 

 

As for the filter that you are trying to build, I primarly recommend that people create a browsing rule that allows browsing for application 'any' with service 'application-default'. You can then build out specific application deny rules, or deny filters, depending on what you actually don't want to allow in your enviroment. Obviously this depends highly on how restrictive your organization is with allowing outside access, but it works for most. 

Added my vote to the Feature Request.

 

Cheers

 

Rob

My vote was added to the feature request internally.

  • 3000 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!