dependency warning - how to force it?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

dependency warning - how to force it?

L4 Transporter

Hi

I'm bit confused about dependency ...

During commit i have:

    vsys1: Rule 'XXXXXXXXXXX' application dependency warning:

     Application 'gmail-base' requires 'imap' be allowed, but 'imap' is denied in Rule 'Scholastycy - deny rest'

     Application 'gmail-base' requires 'pop3' be allowed, but 'pop3' is denied in Rule 'Scholastycy - deny rest'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Scholastycy - deny rest'

    vsys1: Rule 'YYYYYYYY' application dependency warning:

     Application 'msrpc' requires 'ms-ds-smb' be allowed

     Application 'msrpc' requires 'netbios-ss' be allowed

     Application 'msrpc' requires 'ms-ds-smb' be allowed

     Application 'msrpc' requires 'netbios-ss' be allowed

Both of this rules are working as expected. XXXXXXX allowing sending email from multifunction printer. I'm sure that imap/pop3 isn't nessesary for sending emails.

The YYYYYYY has aplication: ms-kms. ms-rdp, msrpc and t.120 and this is enought for RDP and activating Office 2010  and Windows 7.

Do I'm able to stop complaining about it during commit?

4 REPLIES 4

L5 Sessionator

Hi,

Are the PANFWs still in 4.1.x versions? Most of the dependency warning messages are gone under the 5.0.x PANOS versions.

You can also find a mention about it under the release notes of 5.0.0:

APPLICATION IDENTIFICATION FEATURES

• Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in

the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies.

Usually these warnings advise the administrator there is an application configured on a policy that may not function fully because another application (or applications) is needed. For example, if you enable the “facebook-base” application on a policy by itself, you may get an application dependency warning advising that “web-browsing” is required.

These application dependency warnings are derived from the research of the Palo Alto Networks development team responsible for content. The intent of these warnings is to aid the administrator in properly configuring policies, and avoid any inconsistent behavior by the application.  It is important to understand these are just warnings and not errors that will fail your commit.

The below document explains the causes for getting the dependency warning messages:

https://live.paloaltonetworks.com/docs/DOC-1654

L5 Sessionator

Also found this in our forums that:

The dependencies are only open for the amount of packets needed in order to detect the main application.

For example where you previously was forced to have both appx and web-browsing open forever you now only add appx and the web-browsing will only be allowed for the amount of packets needed to detect appx, if appx is not detected after this amount then the web-browsing session is denied.

Hi

I'm using 5.0.5 PAN, warnings related to gmail comes after some automatic update (not after upgrade from 5.0.3 to 5.0.5 in my example).

As I understand this is feature and it can't be switched off - I have to get used to or add such aplication to the rules - Do I'm a right?

Regards

Slawek

Yes, Slawek

For a clean configuration without any warning messages, you would have to add the applications that the PANFW is complaining about.

Best regards,

Karthik

  • 3424 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!