Applications Depends On Column - Prelogon Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Applications Depends On Column - Prelogon Policies

L3 Networker

I am trying  to setup prelogon and have a question about the sec policies described in Step 2 of this guide: https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/...

 

I assume the source zone would be VPN (applied to tunnel) and the destination zone is Trusted (internal) - correct?

 

Then for permitted applications I added AD, DHCP, DNS and ms-update. The right column notes dependencies. But I believe that when you add the application that those dependencies are automatically added - correct? I don't need to add those manually. Does this look like all I'd need for the prelogon security policy?

 

MichaelMedwid_0-1618764222665.png

 

2 accepted solutions

Accepted Solutions

L6 Presenter

Some applications are Implicitly added but some need to be explicitly added. Please check :

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

 

 

 

When you commit the palo Alto will tell you so no worry, you will know if something needs to be explicitly added if you just pay attention.

View solution in original post

Cyber Elite
Cyber Elite

@MichaelMedwid,

The firewall is only going to list app-ids that are dependent on other app-ids being allowed, and not what they implicitly use. You can go through applipedia and do some validation checks, but generally speaking you'll need to ensure that those dependent app-ids are allowed to ensure the traffic works as intended. 

View solution in original post

2 REPLIES 2

L6 Presenter

Some applications are Implicitly added but some need to be explicitly added. Please check :

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

 

 

 

When you commit the palo Alto will tell you so no worry, you will know if something needs to be explicitly added if you just pay attention.

Cyber Elite
Cyber Elite

@MichaelMedwid,

The firewall is only going to list app-ids that are dependent on other app-ids being allowed, and not what they implicitly use. You can go through applipedia and do some validation checks, but generally speaking you'll need to ensure that those dependent app-ids are allowed to ensure the traffic works as intended. 

  • 2 accepted solutions
  • 2613 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!