Way to ignore dependency warnings?

Reply
L1 Bithead

Way to ignore dependency warnings?

We have setup a general web browsing policy and users were being blocked from viewing github.  We allowed github-base to the policy and commited it.  They can now view github without any issues but every time we commit we recieve a warning "Application 'github-base' requires 'ssh' be allowed." .  We do not want to allow ssh outbound without limiting the destination and do not have any need for ssh to github (as just viewing M$ code).  

 

Is there a way this can be ignored or do we just have to live with any dependincy messages on commits?  

 

We are running 7.0.x if that makes a difference. 

 

 

L5 Sessionator

Re: Way to ignore dependency warnings?

The dependency waring saying to make that application to work properly you have to allow ssh as well.

These warning does not depends on PAN-OS they are dependent on application-and-threat updates.

To check more about the denpendent application use the following commands on CLI:
PA>configure
PA# show predefined application <name of the application>

 

Hope this helps!

L5 Sessionator

Re: Way to ignore dependency warnings?

You can also visit the following webiste:

 

https://applipedia.paloaltonetworks.com/

L5 Sessionator

Re: Way to ignore dependency warnings?

To avoide those warning you have to allow that application.

L1 Bithead

Re: Way to ignore dependency warnings?

Thanks Pankaj,

 

I understand how to find the dependencies but I do not understand why to view github.com in a browser I must allow SSH?  Right now I am able to load github without allowing SSH where before it was being blocked but I just recieve the dependeny warning.

 

I guess my other option is to create a custom application.

L5 Sessionator

Re: Way to ignore dependency warnings?

Application override will stop the layer 7 inspection. It is not preferred unless it is very necessary.

L7 Applicator

Re: Way to ignore dependency warnings?

Application override stops L7 ispection not custom application.

 

In your case you can create another rule.

Add web-browsing, ssh and ssl as applications.

And use custom URL category to allow this rule to match only if traffic goes to URL's specified in the custom category.

 

In this case you can get rid of the warning and don't have to allow ssh to everywhere.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L1 Bithead

Re: Way to ignore dependency warnings?

Thanks Radio,

 

That makes sense and seems like the best solution with the options we have.  Hopefully there will not be to many application like that.

L3 Networker

Re: Way to ignore dependency warnings?

We've ran into this same issue on a lot of pre-built applications.  If you truly want to remove these warnings while also denying the application (in this case ssh), then I would create two rules as such:

 

rule 1:  deny ssh

rule 2:  allow git-hub, ssh

 

rule 1 will block ssh traffic based on your criteria. 

rule 2 allows git-hub as well as ssh, but the ssh traffic is never matched as rule 1 blocks it.  This will get rid of the warnings.

 

There should be a way to suppress applications warnings and I have suggested this to Palo Alto on a few occasions. Applications like VMWare View, for example, assume that all of your services from broker to virtual machines will live on the same servers, which in any large deployment is ludicrous.  It is typically a best practice to only open those appliations needed to a host when securing it.

 

Just my two cents,

 

Matt

 

 

 

L1 Bithead

Re: Way to ignore dependency warnings?

Thanks Matt,

 

I'm pretty sure I tried this once but then it gave a warning about one policying being shadowed by another.  I tried this again and it does not give this warning anymore.

 

Josh

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!