This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

App dependencies - that's creazy!!

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

App dependencies - that's creazy!!

_slv_
L4 Transporter

‎01-09-2014 08:35 AM

Hello

Today I have to add MS Lync to be allowed from VPN. Sound simple.

So I add to security rule ms-lync

2014-01-09_164815.png.

but during commit I get warnings:

2014-01-09_165349.png

ok, I added ms-lync-online but I get another warning:

2014-01-09_170459.png

DO I really need to add every particular aplication by hands?

We pay for support and expect easy to use PAN.

Second problem is that I alredy have few security policies that have a list to aplications (from dependencies) that takes a half of my laptop screen.

Why te aplication column show every plaication that is on the list, why after ie. 3 of it doesn't show "...." or "+" that after click will show complete list of aplication?

Please give me advice how to manage this problem

With regards

Slawek

Sorry for my bad english.

Labels:
12 REPLIES 12

dieter_b
L4 Transporter

‎01-13-2014 04:42 AM

With recent versions (don't know exactly when it was introduced) the dependencies are added automatically, but stay hidden.

In my experience you'll probably have to add generic dependencies (web-browsing, ssl). Otherwise there's no traffic to inspect, so app-id will not recognize a particular app.

0 Likes Likes

HULK
L7 Applicator

‎01-13-2014 06:34 AM

Hello Slawek,

The best way to understand/verify  any application dependencies is Application Research Center.  You can check all application related information here:

Just an example:

Applipedia.JPG.jpg

Applipedia-1.JPG.jpg

Thanks

Hithead
L4 Transporter

‎01-13-2014 07:46 AM

hi slv,

we also have this messages after commits. But, you can ignore them. Lync is also firewalled in our environment and the dependency are really huge... all dependencies are not required!

We are really just allowing what is required and do ignore the messages...

So, don't worry - Dependency is a never ending story Smiley Happy

frank_henry
L2 Linker

‎01-13-2014 07:56 AM

I feel like the rule interface could be leveraged better to support Applications/Dependencies.  If there were an icon in each rule's Applications list that could pop up a new window showing dependencies for the included Applications, then a quick 'add all dependencies' button could be provided and perhaps an 'ignore dependency warnings for this rule' button.    The problem with 'just ignoring them' is problematic when the results window becomes dozens or hundreds of lines of these warnings.  It is too easy to miss something important.

0 Likes Likes

Hithead
L4 Transporter
In response to frank_henry

‎01-13-2014 08:13 AM

just wait for PANOS 6. May there is something new. If not, you have the option to do a feature request. Contact your SE..

0 Likes Likes

frank_henry
L2 Linker
In response to Hithead

‎01-13-2014 08:19 AM

Sure.. Just putting it out there so if others feel this is a good idea, we can all knock on that door;)

0 Likes Likes

_slv_
L4 Transporter
In response to HULK

‎01-15-2014 04:33 AM

Hi HULK

I don't agree with You. According to applipedia my policy should like:

2014-01-15_132421.png

and I have exactly this aplication in policy, but every commit it complaining about next aplication that's are needed by dependencies. This makes a lot of confusion.

As a Hithead wrote - with thouse 5 aplication MS lync working properly - so why PAN asking for more? maybe this is an issiue?

PA technicians - could you explain us?

Like Frank wrote - we can't ignore every message (but we  will do when we have in many policies dependencies twhich have not been met) during commit. There is a lot of usefull information.


Could someone who is using beta of PAN 6.0 could confirm that in 6.x it will be better solved?

With regards

SLawek

0 Likes Likes

faigner
L0 Member
In response to _slv_

‎05-09-2014 01:39 AM

Hi!

Can somebody tell me if this got better with 6.0? I did a quick check of the release notes but couldn't find anything regarding dependencies. It would be really great to have the possibility to just simply include all dependencies for specific rules/apps.

Kind regards,

Franz

0 Likes Likes

panos
L6 Presenter
In response to faigner

‎05-09-2014 01:43 AM

I did not hear any improvements at 6.0 for that.

0 Likes Likes

DaveCorwin
Not applicable

‎05-09-2014 06:12 AM

I agree with Hithead...though the warnings should not be taken lightly, they aren't an automatic indication of degradation/failure. Look at what the ARC says about the App/App groups and base your rule off of that. You can then monitor your traffic to verify that no unwanted drops/blocks are occurring.  

0 Likes Likes

cpainchaud
L4 Transporter
In response to DaveCorwin

‎05-20-2014 02:22 PM

You can can and should ignore these dependencies as some of them are not required depending on your context. it's only if you notice that your application is not working as expected that you should  have a look at logs and see what application is being blocked. For example, STUN is listed , but not allowing it will still allow lync to work in 99% of case.

I admit it's a pain to get pages and pages of dependency warnings.

0 Likes Likes

ET
L2 Linker

‎08-22-2014 09:03 AM

As far as I know there is no solution for this issue at this time. Some of my customers have hundreds of rules with dependencies and they are unable to read hundreds of warnings every time they make a "commit".

0 Likes Likes
  • 5483 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks