Best Practices for Application Policies?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Practices for Application Policies?

L1 Bithead

I was wondering if there is a best practices document for setting up a policy to control particular applications. I've already dug through the Skype tech document which tells to enable unknown applications. Are there any other applications that work better or require unknown applications to be enabled? To take it further, is there an application dependency list available? For example when creating a policy allowing bittorrent traffic out, the firewall prompts during the verification process that web-browsing should be enabled for bittorrent. Is there a document that will say “X application requires Y application to work correctly”. I would prefer not to find out during the verification process.

- FJ

19 REPLIES 19

Mail sent 🙂

Hi I am new at this board.

I have the same prablem with after submitting  policy like:

# Application 'http-video' requires 'web-browsing' allowed in the policy
# - Application 'uusee' requires 'web-browsing' allowed in the policy
# - Application 'move-networks' requires 'web-browsing' allowed in the policy
# - Application 'babelgum' requires 'web-browsing' allowed in the policy
# - Application 'peercast' requires 'web-browsing' allowed in the policy
# - Application 'myspace-video' requires 'web-browsing' allowed in the policy
# - Application 'tvu' requires 'web-browsing' allowed in the policy
# - Application 'ppstream' requires 'web-browsing' allowed in the policy
# - Application 'tvants' requires 'web-browsing' allowed in the policy
# - Application 'photobucket' requires 'web-browsing' allowed in the policy
# - Application 'meabox' requires 'web-browsing' allowed in the policy
# - Application 'meabox' requires 'fs2you' allowed in the policy
# - Application 'dailymotion' requires 'web-browsing' allowed in the policy
# - Application 'limelight' requires 'http-proxy' allowed in the policy
# - Application 'limelight' requires 'web-browsing' allowed in the policy
# - Application 'pplive' requires 'pp-accelerator' allowed in the policy
# - Application 'pplive' requires 'web-browsing' allowed in the policy
# - Application 'veetle' requires 'web-browsing' allowed in the policy
# - Application 'google-picasa' requires 'web-browsing' allowed in the policy
# - Application 'ustream' requires 'web-browsing' allowed in the policy
# - Application 'bbc-iplayer' requires 'web-browsing' allowed in the policy
# - Application 'mogulus' requires 'web-browsing' allowed in the policy
# - Application 'ooyala' requires 'web-browsing' allowed in the policy
# - Application 'justin.tv' requires 'web-browsing' allowed in the policy
# - Application 'livestation' requires 'web-browsing' allowed in the policy

and many many more. It happend a few days ago but I didn't do anything special in my policy rules.

Can you tell me if you solved this problem?

Thanks

Paul

What Software version are you running? 3.0.10 is the last release of 3.0 since it is now "End of life". 3.1.8 is the most current verison  in the 3.1 family as of this post.  The message is just a warning and should not cause any problems as long as the dependenies are allowed somewhere in the policy list.

If you were to create a rulethat allows Facebook and web-browsing at the top, this rule would allow all web browsing and rules farther down the list would never get used.

Generally speaking, "web-browsing" is a very large net that catches all HTTP traffic. If you want to treat Facebook or gmail or dropbox differently you would need one rule for each and then a rule allowing "web-browsing" at the end.

Steve Krall

Great. So now this is buried in a support case and no one else gets some insight. What was the outcome of this?

I guess the appid's regarding these findings were updated (but I agree would be nice with a reply from a PA representative on what happend in these particular cases).

Today I would guess installing PANOS 5.0 (or newer) is the way to go to deal with dependencies.

Because one of the new features with PANOS 5.0 is that it will handle dependencies when needed.

For example allowing x number of packets for a dependency appid and unless the traffic is being identified as the appid you specified (within this range of x number of packets or so) the session will be closed/dropped.

The part to worry about is how many packets will be allowed "under the radar" (and how to notify the admin what he/she is about to do when creating such security policy).

Today if you wish to allow facebook you must also statically allow web-browsing (if im not mistaken).

This doesnt mean that all http traffic are allowed (because other appids like youtube etc will trigger if identified since a session can only have one appid at a time) but it means that all http traffic which doesnt match any known appid will be allowed.

This is of course somewhat bad (in most cases) and you need to add a custom url-filter to limit the http requests to only *.facebook.com (and which other domains facebook are using).

Now with PANOS 5.0 (as I understand it) it will work if you just allow facebook and nothing more (still using url filtering is healthy but if we stick to appid's for now 🙂

When facebook is allowed in PANOS 5.0 it will in the background allow web-browsing but only for x number of packets.

This is of course way better than in PANOS 4.1 and older where you had to statically allow web-browsing for all future but still I think education of the admins configuring PA-devices will be needed.

In this case it would be great if PA could provide us (the customers 🙂 with a dependency list along with the limit list (like if I allow facebook, how many web-browsing packets will be allowed) - because as I see this (currently) this might open up for a logical evasion techniques (the admin thinks only facebook is allowed but this custom botnet will still be able to phone home 2 packets per session or such).

  • 11500 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!