Explicit and Implicit Allowed / Denied Apps?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Explicit and Implicit Allowed / Denied Apps?

L0 Member

I am trying to understand the relationship between apps and how rules for specific apps affect the access of other apps.

 

I was reading this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClirCAC

 

In there, it uses the example of "facebook" which has dependent apps like "facebook-base".  If I was looking through the firewall rules and I was trying to figure out if "facebook" was allowed, if the rules had no explicit mention of "facebook" but did explicitly mention that all of dependent apps of "facebook" are allowed (e.g. "facebook-base", "facebook-web", etc).  Does that mean "facebook" will be implicitly allowed?

 

Equally, if I was looking at things the other way around, i.e. if I only wanted to know if "facebook-base" was allowed and there was no mention of "facebook-base" but it says "facebook" is denied, does that mean implicitly that "facebook-base" is not allowed as well?

 

Finally, if it was a custom application and it used something like "web-browsing", there may be many applications which use "web-browsing", e.g. "whatsapp", "facebook", etc.  If I wanted to see if "web-browsing" is allowed or denied but the rules don't have "web-browsing" explicitly, however do have explicit rules which contain the dependent "web-browsing" and either say deny or allow, does that mean I can assume "web-browsing" is allowed based on these higher level rules?

2 REPLIES 2

Community Team Member

Hi @777GE09 ,

 

'Facebook' is a placeholder for all underlying apps. 

facebook-base is not dependent on facebook as shown in the illustration below:

 

 

facebook-basefacebook-base

If you deny 'facebook' then all underlying applications (including facebook-base) will be denied.

 

The application dependency is outlined in this Tips & Tricks article:

Tips & Tricks: What is application dependency ?

 

Hope this helps !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@kiwi 

Thanks, that is helpful.  So the predefined applications are like containers, if you deny or allow them you are essentially just denying or allowing their members, that makes sense. I guess this is not the case for custom applications though? Do you have any examples of custom applications please?

 

In regards to the docs you sent me, I was reading up and was wondering about this point:

  • 2. Implicitly Use Applications has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the Web-Browsing application implicitly.

 

Is this the same the other way around? If my rule was DENY facebook-posting, does that implicitly deny web-browsing too?

 

EDIT: Part of me thinks it shouldn't implicitly deny web-browsing, because when I think about this.  If you allowed facebook-posting then that means web-browsing is required and will also be therefore allowed.  But if you deny facebook-posting, then ok you can't post on facebook and although web-browsing forms a part of this, it may be used by another app and so you wouldn't want denying facebook-posting to affect this, because facebook-posting may be denied for a different reason?

  • 4985 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!