06-12-2019 02:55 AM - edited 06-12-2019 02:58 AM
I am trying to understand the relationship between apps and how rules for specific apps affect the access of other apps.
I was reading this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClirCAC
In there, it uses the example of "facebook" which has dependent apps like "facebook-base". If I was looking through the firewall rules and I was trying to figure out if "facebook" was allowed, if the rules had no explicit mention of "facebook" but did explicitly mention that all of dependent apps of "facebook" are allowed (e.g. "facebook-base", "facebook-web", etc). Does that mean "facebook" will be implicitly allowed?
Equally, if I was looking at things the other way around, i.e. if I only wanted to know if "facebook-base" was allowed and there was no mention of "facebook-base" but it says "facebook" is denied, does that mean implicitly that "facebook-base" is not allowed as well?
Finally, if it was a custom application and it used something like "web-browsing", there may be many applications which use "web-browsing", e.g. "whatsapp", "facebook", etc. If I wanted to see if "web-browsing" is allowed or denied but the rules don't have "web-browsing" explicitly, however do have explicit rules which contain the dependent "web-browsing" and either say deny or allow, does that mean I can assume "web-browsing" is allowed based on these higher level rules?
06-12-2019 04:30 AM
Hi @777GE09 ,
'Facebook' is a placeholder for all underlying apps.
facebook-base is not dependent on facebook as shown in the illustration below:
If you deny 'facebook' then all underlying applications (including facebook-base) will be denied.
The application dependency is outlined in this Tips & Tricks article:
Tips & Tricks: What is application dependency ?
Hope this helps !
-Kiwi.
06-12-2019 05:11 AM - edited 06-12-2019 05:18 AM
Thanks, that is helpful. So the predefined applications are like containers, if you deny or allow them you are essentially just denying or allowing their members, that makes sense. I guess this is not the case for custom applications though? Do you have any examples of custom applications please?
In regards to the docs you sent me, I was reading up and was wondering about this point:
Is this the same the other way around? If my rule was DENY facebook-posting, does that implicitly deny web-browsing too?
EDIT: Part of me thinks it shouldn't implicitly deny web-browsing, because when I think about this. If you allowed facebook-posting then that means web-browsing is required and will also be therefore allowed. But if you deny facebook-posting, then ok you can't post on facebook and although web-browsing forms a part of this, it may be used by another app and so you wouldn't want denying facebook-posting to affect this, because facebook-posting may be denied for a different reason?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
