- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-03-2014 10:52 AM
We have begun the process of globally allowing some applications for the entire enterprise. At this point, these are (fairly) innocuous applications which are largely dependent on web-browsing / ssl. Two questions:
1. When verifying if a dependent application is available, does the firewall check the policy from the top down or just rules below the one you're creating?
2. I think part of the issue I'm running into is something that is discussed here: Application Dependency Warnings with Allowed Enabler Application
I have rules up around 20 - 30 that are my URL Filtering rules. So, certain user groups are allowed to certain URL categories via web-browsing (on "any" service).
Now, down around rule 150 or so, I have a rule that says, "Globally Allowed Applications" - in here I have a few apps like 'ms-update' and 'flash'. However, once I pushed policy, I'm being told (for example) that:
"Application 'flash' requires 'web-browsing' be allowed, but 'web-browsing' is denied in rule "Drop All". Technically 'web-browsing' is allowed above. I'm not really a fan of having to allow the applications (especially web-browsing or SSL) globally as this negates our URL filtering policy.
Anyone else run into this?
10-03-2014 11:04 AM
Hello Mrsoldner,
I understand that "web-browsing"{ is allowed in above rules and not in rule 150 where you have allowed "flash". Where flash depends on "web browsing".
I think it might be Palo Alto Networks internal thing, were dependent application should be allowed in same rule. So, in traffic logging they can track related log.
Again its just a speculation. Even I am waiting for much better explanation on this.
Regards,
Hardik Shah
10-06-2014 03:53 PM
Hello,
1) if there is a dependent application then firewall will check from top-down whether dependent application is being allowed as mentioned in the document.
2) My recommendation is to allow web-browsing in policy 150 and apply url filtering profile. Since policies 20-30 are user restricted policies eventhough you allow web browsing in those, rule 150 still need an explicit dependent application allow policy to avoid commit warnings.
Hope this helps.
Regards,
Hari
10-06-2014 04:13 PM
There are few enabler applications that are allowed implicitly, meaning, you don't have to add them in the policy to allow them explicitly. I believe web-browsing and SSL fall under this list. This implicit allow was something that was introduced in PAN-OS 5.0
Below document might come in handy:
How to Check if an Application Needs to have Explicitly Allowed Dependency Apps
I am looking for the list of implicitly allowed enabler applications. If I find anything related, i will update this post
Hope this helps.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!