- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-16-2012 10:21 AM
I have been trying to use the application filter functionality as I am setting up our PA with little luck. Example being: I would like to allow pretty much everything under "business" systems", "office programs".
First problem I am running into is it does not include the dependcies. OK I can get around that and create an applicatio group for the dependencies.
The second problem is one item has some dependencies which are a bit excessive (SMTP for example) AND these dependencies are for a program my users will never use (ariel in my case).
Unless I am missing something, there does not appear to be a way to create a filter but exclude some items and that programs dependencies.
Does the above sound correct?
If so, is anyone bothering to use the "application filter" option or are you just creating your own groups?
Thanks,
Bob
PS It would be nice to create a filter and exclude certain applications from that filter with a check box per application.
05-23-2012 08:50 AM
We're able to work out dependencies by looking at the errors and adding the dependent applications to our allow groups.
It seems we don't have the complexity regarding time of day that you do. Our rule structure is this:
deny Block groups
allow Allow groups and Allow subcategory filters
deny Block subcategory filters
The key is that the Allow subcategory filters and Block subcategory filters never include each other's subcategories, but added together contain all subcategories.
Adding rules for allowing applications for off-hours depends on how much of the application structure changes policy for off-hours. If the differences are just a few apps, I would put a scheduled rule like "allow Allow off-hours groups" before the first rule called deny Block groups.
If I wanted to allow a few subcategory filters for off-hours, I would consider copying the entire structure and placing those rules above the current structure:
deny Block off-hours groups
allow Allow off-hours groups and Allow off-hours subcategory filters
deny Block off-hours subcategory filters
deny Block groups
allow Allow groups and Allow subcategory filters
deny Block subcategory filters
05-17-2012 10:06 AM
The tricky part with application filter comparing to custom groups is the danger of new application(s) (you are in the hands of what PA thinks).
Having that said I have heard some rumours that PANOS 5.0 (I think it was) will fix some of the dependency jungle out there for the appid.
05-22-2012 11:32 AM
We use application filters based on subcategory. When deciding to allow or block a subcategory, we ask ourselves: if Palo Alto created a new application definition that you haven’t heard of before and added it to the subcategory, should it be allowed or blocked?
Then we create application groups for the exceptions in a subcategory. We have about 200 exceptions in our application groups currently.
05-22-2012 01:52 PM
I am using a different way : I reviewed all applications once and decided which ones I wanted to ban.
Every week I receive an email from PA with a list newly created apps. I review each of them and decide which ones I want to ban and add them to my application ban group.
05-23-2012 08:27 AM
Thanks for your reply. So if I understadn you correctly you have a couple rules:
Deny Banned apps (custom application group)
Allow (Application filter)
How do you handle the dependcies?
Doesn't the above give you a warning when you commit?
Thanks,
Bob
05-23-2012 08:32 AM
Thanks.
Can you enlighten me as to the order of your allow and deny rules and what order they are in?
for example: In my case I am trying to, for a single group of users us almost exclusivley allow rules:
Middle school-allow basic apps (app group as defined by myself)
Middle school-allow expanded apps before and after school only (app group as defined by myself)
Middle school deny-deny all apps for middle school users that are no allowed by teh above (mostly for logging purposes)
Thanks
Bob
05-23-2012 08:50 AM
We're able to work out dependencies by looking at the errors and adding the dependent applications to our allow groups.
It seems we don't have the complexity regarding time of day that you do. Our rule structure is this:
deny Block groups
allow Allow groups and Allow subcategory filters
deny Block subcategory filters
The key is that the Allow subcategory filters and Block subcategory filters never include each other's subcategories, but added together contain all subcategories.
Adding rules for allowing applications for off-hours depends on how much of the application structure changes policy for off-hours. If the differences are just a few apps, I would put a scheduled rule like "allow Allow off-hours groups" before the first rule called deny Block groups.
If I wanted to allow a few subcategory filters for off-hours, I would consider copying the entire structure and placing those rules above the current structure:
deny Block off-hours groups
allow Allow off-hours groups and Allow off-hours subcategory filters
deny Block off-hours subcategory filters
deny Block groups
allow Allow groups and Allow subcategory filters
deny Block subcategory filters
05-23-2012 04:30 PM
Thanks for sharing, it is nice to hear what others are doing. I am really struggling with the complexity piece (all have different times and filtering rules):
Lots of international kids.
Lower school
Middle school
Upper school
Boarding students (some are 7x24 with school and personal devices)
Dorm Parents (7x24 with school and personal devices).
Employees (school and personal devices)
Not to mention the guests streaming in and out on weekends and summer....
I could go on, but thus my interest in how others are handling apps and rules.
Bob
05-23-2012 05:03 PM
Wow - that's a lot of constituencies. Hopefully, you'll find some commonality in the applications and subcategories that you allow and block between the constituencies so you can group the applications easily.
One other thing I thought of for dependencies: we created groups for applications that have tons of them. For ms-rdp, for example, we created a group called ms-rdp_suite and included netbios-ss, netbios-dg, etc. etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!