I am consolidating a lot of old, messy URL/App rules written by my predecessors. I have one rule that is the URL filtering rule for "unauthenticated" users (i.e., those that aren't identified by the User Agents.) It allows "any" appliation.
I have other rules that use application sets and custom URL filters, based on user groups. All working fine.
Now, I thought to restrict the services on the URL rules to HTTP & HTTPS. Most of our web browsing is personal, research, etc. We use very few cloud apps, and I can account for those in other rules. I don't want strange, non-standard ports using the URL rules.
When I restricted the services on the "Unauthenticated URL Policy," I caused a bunch of Application Dependency Warnings in the other URL/App rules. OK, fine. I should probably have used "application-default."
Here's my mystery. The exact same change on a different firewall, which has the exact same rules for user browsing (I actually cloned them) does NOT give me Application Depency Warnings.
I'm not saying that the two firewalls have the same rule bases. But these particular rules that I'm working with are all the same.
Can anyone explain this?
It's quite possible that the firewall that isn't giving you issues has another security policy higher in the rulebase that isn't causing the same application dependency issues as the traffic is already being allowed by prior rules; you'd really need to look at the entire rulebase to understand why the other one isn't throwing the same validation warnings.
Also note that application depenceny warnings can be really annoying. For instance if you allow snmpv3 it'll tell you that it depends on snmp-base, however you might never see the traffic come across as snmp-base and therefore the rule as you've configured works perfectly fine. 'Depends on' doesn't really mean that it needs to be in the security policy for that security policy to function perfectly fine.
Thanks for the response. I did look at the rules above the rules in question. None of them are quite the same mix of conditions, and shouldn’t be matching. I’m still pretty confused about it. Maybe once I get to my final set of rules at the end of this project it will be more clear.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!