- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-09-2014 08:35 AM
Hello
Today I have to add MS Lync to be allowed from VPN. Sound simple.
So I add to security rule ms-lync
.
but during commit I get warnings:
ok, I added ms-lync-online but I get another warning:
DO I really need to add every particular aplication by hands?
We pay for support and expect easy to use PAN.
Second problem is that I alredy have few security policies that have a list to aplications (from dependencies) that takes a half of my laptop screen.
Why te aplication column show every plaication that is on the list, why after ie. 3 of it doesn't show "...." or "+" that after click will show complete list of aplication?
Please give me advice how to manage this problem
With regards
Slawek
Sorry for my bad english.
01-13-2014 04:42 AM
With recent versions (don't know exactly when it was introduced) the dependencies are added automatically, but stay hidden.
In my experience you'll probably have to add generic dependencies (web-browsing, ssl). Otherwise there's no traffic to inspect, so app-id will not recognize a particular app.
01-13-2014 06:34 AM
Hello Slawek,
The best way to understand/verify any application dependencies is Application Research Center. You can check all application related information here:
Just an example:
Thanks
01-13-2014 07:46 AM
hi slv,
we also have this messages after commits. But, you can ignore them. Lync is also firewalled in our environment and the dependency are really huge... all dependencies are not required!
We are really just allowing what is required and do ignore the messages...
So, don't worry - Dependency is a never ending story
01-13-2014 07:56 AM
I feel like the rule interface could be leveraged better to support Applications/Dependencies. If there were an icon in each rule's Applications list that could pop up a new window showing dependencies for the included Applications, then a quick 'add all dependencies' button could be provided and perhaps an 'ignore dependency warnings for this rule' button. The problem with 'just ignoring them' is problematic when the results window becomes dozens or hundreds of lines of these warnings. It is too easy to miss something important.
01-13-2014 08:13 AM
just wait for PANOS 6. May there is something new. If not, you have the option to do a feature request. Contact your SE..
01-13-2014 08:19 AM
Sure.. Just putting it out there so if others feel this is a good idea, we can all knock on that door;)
01-15-2014 04:33 AM
Hi HULK
I don't agree with You. According to applipedia my policy should like:
and I have exactly this aplication in policy, but every commit it complaining about next aplication that's are needed by dependencies. This makes a lot of confusion.
As a Hithead wrote - with thouse 5 aplication MS lync working properly - so why PAN asking for more? maybe this is an issiue?
PA technicians - could you explain us?
Like Frank wrote - we can't ignore every message (but we will do when we have in many policies dependencies twhich have not been met) during commit. There is a lot of usefull information.
Could someone who is using beta of PAN 6.0 could confirm that in 6.x it will be better solved?
With regards
SLawek
05-09-2014 01:39 AM
Hi!
Can somebody tell me if this got better with 6.0? I did a quick check of the release notes but couldn't find anything regarding dependencies. It would be really great to have the possibility to just simply include all dependencies for specific rules/apps.
Kind regards,
Franz
05-09-2014 01:43 AM
I did not hear any improvements at 6.0 for that.
05-09-2014 06:12 AM
I agree with Hithead...though the warnings should not be taken lightly, they aren't an automatic indication of degradation/failure. Look at what the ARC says about the App/App groups and base your rule off of that. You can then monitor your traffic to verify that no unwanted drops/blocks are occurring.
05-20-2014 02:22 PM
You can can and should ignore these dependencies as some of them are not required depending on your context. it's only if you notice that your application is not working as expected that you should have a look at logs and see what application is being blocked. For example, STUN is listed , but not allowing it will still allow lync to work in 99% of case.
I admit it's a pain to get pages and pages of dependency warnings.
08-22-2014 09:03 AM
As far as I know there is no solution for this issue at this time. Some of my customers have hundreds of rules with dependencies and they are unable to read hundreds of warnings every time they make a "commit".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!