This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Application dependency Warning

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Application dependency Warning

Go to solution
Farzana
L4 Transporter

‎03-04-2018 08:39 PM

Hello,

 

We implemented the blocking policy for the custom URL categories however now once committed we receive commit warning like the following:

 

Application 'dropbox-base' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'outbound-advertisement-block'

Application 'google-drive-web' requires 'google-base' be allowed, but 'google-base' is denied in Rule 'outbound-advertisement-block'

 

The policies for Dropbox and Google drive are policy 14 and 19, and the advertisement block is 53.

 

Why would the allow policies above the deny policy be generating warning?

 

We have other deny policies and they do not generate the warning messages.

 

It’s just that we can’t really have the following showing every time we commit a change. It will blind us to actual issues...?

 

vsys1: Rule 'outbound ms-update' application dependency warning:

Application 'ms-update' requires 'ssl' be allowed

vsys1: Rule 'outbound_dropbox' application dependency warning:

Application 'dropbox-base' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-uploading' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-paper' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-paper' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-downloading' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-sharing' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-editing' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

Application 'dropbox-posting' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'outbound-advertisement-block'

vsys1: Rule 'Google Drive Access' application dependency warning:

Application 'google-drive-web' requires 'google-base' be allowed, but 'google-base' is denied in Rule 'outbound-advertisement-block'

Application 'google-drive-web' requires 'google-docs-base' be allowed, but 'google-docs-base' is denied in Rule 'outbound-advertisement-block'

Application 'google-drive-web' requires 'google-docs-editing' be allowed, but 'google-docs-editing' is denied in Rule 'outbound-advertisement-block'

Application 'google-drive-web' requires 'google-docs-uploading' be allowed, but 'google-docs-uploading' is denied in Rule 'outbound-advertisement-block'

vsys1: Rule 'Video Streaming RTMP Pull' application dependency warning:

Application 'rtmpt' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'outbound-advertisement-block'

(Module: device)

 

Thanks in advance.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎03-05-2018 01:24 AM

did you create the 'outbound-advertisement-block' policy so the custom category is in the service/url category tab?

you could also block this category in a url filtering profile, which would make it possible for you to have an allow policy for web-browsing and ssl

alternatively you could set the applications for your block rule to 'any' 

 

the google drive and dropbox policies are generating warnings because they need a functioning web-browsing/ssl policy as these apps depend on having access to these before theyre able to be identified. 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

Go to solution
reaper
Cyber Elite
Cyber Elite

‎03-05-2018 01:24 AM

did you create the 'outbound-advertisement-block' policy so the custom category is in the service/url category tab?

you could also block this category in a url filtering profile, which would make it possible for you to have an allow policy for web-browsing and ssl

alternatively you could set the applications for your block rule to 'any' 

 

the google drive and dropbox policies are generating warnings because they need a functioning web-browsing/ssl policy as these apps depend on having access to these before theyre able to be identified. 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎03-05-2018 12:25 PM

Hello @Farzana,

I get a ton of these as well. It seems that unless the dependencies are in the same policy, it will throw the warnings. I havent found a good way around it and honestly just treat it as a norm :(.

 

Regards,

Go to solution
tshooter
L2 Linker
In response to OtakarKlier

‎03-01-2021 11:05 AM

I create a rule called dropbox-allow, I add app id - dropbox, and web-browsing(so it doesn't complain). 

 

1. question:  if I dont add the dependent app, to the rule, will the rule work and allow traffic?  Or will dropbox fail?  What is consequence ? 


2.If I wanted to block all web-browsing. but allow dropbox, how would I do that? 
Would I create rule to block all web-browsing above rule dropbox allow??


 

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to tshooter

‎03-01-2021 12:51 PM

Web-browsing doesn't need to be in the same rule but it needs to be allowed somewhere

 

This is because the way app-id works:

-Syn packet arrives, security rules are checked for source/dest zone/ip and dest-port

- if matching rule is found, session is created and packets are allowed to pass

-once some packets have passed identifiable payload will pass, like a HTTP GET or a client hello. App-id can now identify web-browsing or ssl or some other parent apps

- once more packets have passed, more specific payload may change the app into something more specific

 

If you block the parent/dependency app, you will never get to the child app

 

If you need to block all web-browsing, you can do so by adding web-browsing to the dropbox rule, or creating a new rule with web-browsing, but setting the url category (in the services tab, not url filtering) to a custom category with the dropbox urls included

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
tshooter
L2 Linker
In response to reaper

‎03-01-2021 02:09 PM

Is a URL-filter license required to do that?


0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to tshooter

‎03-04-2021 12:45 AM

@tshootercustom URL categories don't require a URL filtering license!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 1 accepted solution
  • 7135 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks