I have created a rule which requires access to Adobe-creative clolud. This application is dependent on SSL and web browsing. Setting this rule to allow aslo grants access to websites like Amazon.com or general internet access.
Is there a way to make it work just for the particular app? or I am missing something in creating the policy?
You can further lock down http/https access based on URL category. Pretty sure you can use custom URL categories without URL Filtering license if you did not have one.
Hope this helps.
In some cases it also works without adding the dependencies. You then probably get a commit warning, but it will not allow general webaccess.
Or as @Ben-W already pointed out, you can use a custom url category to restrict the access to only Adobe domains. The list with quite a few entries from adobe you can find here: https://helpx.adobe.com/in/enterprise/kb/network-endpoints.html
(And yes, using a custom URL category does not require a URL Filtering license)
Thank you @Ben-W and @vsys_remo I will create a URL category for adobe and hopefully that should fix it. But I am still confused why adding ssl and web-browsing for a specific app allows unwanted internet access. With the current set up I can almost browse anything like amazon.com etc.
We do have a URL Filtering License for our firewall. Should I create a allow/block list and add to this adobe cc policy?
I would recommend creating a custom url category which you add directly to the security policy rule (not via security profile).
Sure, I will do that. So Even though other appliations are not listed, Palo Alto opens up unwanted access if URL Category is not specified.
If you are allowing a dependent application within a security rule then it's allowed just as any other application. So if I had a rule that allowed [ ssl web-browsing google-base ] other traffic would still match this rule until/if it was able to be identified as a more specific application.
Others have already pointed out ways around this so I won't rehash it, but you'll essentially want to pick one method or another to address this.
The "problem" is that not every application can be recocnized within a few packets. In some cases you first need to allow these dependencies, to allow enough traffic that the firewall will be able to see the adobe cc application. And again in other cases decryption is required to gain this visibility, because without that for example the firewall only sees web-browsing or ssl.
You actually don't have to allow the dependencies, but as I wrote, in some cases paloalto can only guarantee full functionality of the various apps when you allow these dependencies. As you see this can also have negative/unwanted sideeffects which you can restrict with this solution with the custom url category.
So adding URL filtering or URL category is the solution. Thank you so much for your help everyone. :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!