Best Practices for Application Policies?

nugentec · ‎10-07-2009

I was wondering if there is a best practices document for setting up a policy to control particular applications. I've already dug through the Skype tech document which tells to enable unknown applications. Are there any other applications that work better or require unknown applications to be enabled? To take it further, is there an application dependency list available? For example when creating a policy allowing bittorrent traffic out, the firewall prompts during the verification process that web-browsing should be enabled for bittorrent. Is there a document that will say “X application requires Y application to work correctly”. I would prefer not to find out during the verification process.

- FJ

mjacobsen · ‎02-26-2010

First, it is not just msn2go that requires http (or actually the app called web-browsing). The commit checking just presents the first issue is runs into. In this case, all of the apps in your browser-based IM group will require web-browsing in order to function. Without this, the HTTP decoding function does not occur and no HTTP-based applications will be allowed. In order for any of the HTTP-based applications to be allowed, there must be a rule allowing web-browsing. As I mentioned, this does not allow any otherwise classified App-IDs, only unclassified web-browsing traffic.

Mike

rps · ‎02-26-2010

Hmm I will verify this on monday because im pretty sure that "web-browsing" is already allowed in the same application filter that have selected the im-group, and yet during commit I get a warning that "msn2go" needs "http" to function.

This is with 3.0.6 with current of today (26 feb) threat/app db (170-something if im not mistaken).

kbrazil · ‎02-26-2010

As Mike stated, you need to allow the "web-browsing" application for web-based applications to function. This allows the HTTP decoder to activate. This only allows generic HTTP web-browsing and not other more-specific web applications we have signatures for. You can further control the generic "web-browsing" application via URL filtering profile.

If you want to enable web-based IM you might want to create a policy that includes the IM and web-browsing applications, then add a URL filtering profile to that rule to block most categories of generic web-browsing that doesn't fit into an existing web application signature. You might need to tweak the URL filtering profile a bit and make some exceptions depending on how restrictive you make it.

Cheers,

Kelly

rps · ‎03-04-2010

"web-browsing" is already allowed but it doesnt seem to work as expected.

I created an application filter named "SURF_browser-based" containing:

Technologies:
browser-based

Subcategories:
email
erp-crm
file-sharing
general-business
instant-messaging
internet-utility
office-programs
social-networking
storage-backup
web-posting

and assign it to a policy to allow the applications which are contained in the above subcategories (note how instant-messaging is included along with web-browsing which is in internet-utility if im not mistaken).

After commit the output is:

    * device: Rule 'SURF' application dependency warning:
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'zimbra' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'mobile-me' requires 'http-proxy' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'msn2go' requires 'http' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'bebo' requires 'http-proxy' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'aim-express' requires 'aim' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'woome' requires 'rtmp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * - Application 'bigupload' requires 'ftp' allowed in the policy
    * Configuration committed successfully

Note the warning regarding msn2go which I feel is a bit odd since both web-browsing and msn2go are allowed...

pantac · ‎03-04-2010

RPS,

I will look into this issue on the support side.

If you have an active support contract can you send an email to support@paloaltonetworks.com and include the following information:

Pan device serial number

PanOS version installed

Content database installed

I will open a case to investigate.

Thank you.

Best Practices for Application Policies?

Best Practices for Application Policies?

Show your appreciation!