We have setup a general web browsing policy and users were being blocked from viewing github. We allowed github-base to the policy and commited it. They can now view github without any issues but every time we commit we recieve a warning "Application 'github-base' requires 'ssh' be allowed." . We do not want to allow ssh outbound without limiting the destination and do not have any need for ssh to github (as just viewing M$ code).
Is there a way this can be ignored or do we just have to live with any dependincy messages on commits?
We are running 7.0.x if that makes a difference.
Solved! Go to Solution.
The dependency waring saying to make that application to work properly you have to allow ssh as well.
These warning does not depends on PAN-OS they are dependent on application-and-threat updates.
To check more about the denpendent application use the following commands on CLI:
PA# show predefined application <name of the application>
Hope this helps!
I understand how to find the dependencies but I do not understand why to view github.com in a browser I must allow SSH? Right now I am able to load github without allowing SSH where before it was being blocked but I just recieve the dependeny warning.
I guess my other option is to create a custom application.
Application override stops L7 ispection not custom application.
In your case you can create another rule.
Add web-browsing, ssh and ssl as applications.
And use custom URL category to allow this rule to match only if traffic goes to URL's specified in the custom category.
In this case you can get rid of the warning and don't have to allow ssh to everywhere.
That makes sense and seems like the best solution with the options we have. Hopefully there will not be to many application like that.
We've ran into this same issue on a lot of pre-built applications. If you truly want to remove these warnings while also denying the application (in this case ssh), then I would create two rules as such:
rule 1: deny ssh
rule 2: allow git-hub, ssh
rule 1 will block ssh traffic based on your criteria.
rule 2 allows git-hub as well as ssh, but the ssh traffic is never matched as rule 1 blocks it. This will get rid of the warnings.
There should be a way to suppress applications warnings and I have suggested this to Palo Alto on a few occasions. Applications like VMWare View, for example, assume that all of your services from broker to virtual machines will live on the same servers, which in any large deployment is ludicrous. It is typically a best practice to only open those appliations needed to a host when securing it.
Just my two cents,
I'm pretty sure I tried this once but then it gave a warning about one policying being shadowed by another. I tried this again and it does not give this warning anymore.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!