Looking for a way to allow an application without allowing all dependencies with no commit warnings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Looking for a way to allow an application without allowing all dependencies with no commit warnings

L1 Bithead

Issue background:

We have a policy for Application Whitelist of allowed applications on the internet firewall.  SourceForge-Base is one of these applications.  SourceForge-Base had dependencies on SSL, Web-Browsing, and SSH.  We allow SSL and Web-Browsing, but do not wish to allow SSH to the entire outbound internet.  Our users traffic works fine with only SSL and Web-Browsing being allowed in conjunction with SourceForge-Base when they access SourceForge.  

 

Without knowing the IP ranges utilized by SourceForge to allow that in a separate policy by service port, (also without utilizing SSL decryption so an FQDN is not an option), we have no way to allow the traffic other than by application.

 

Is there a way to hide or suppress persistent application dependency warnings in specific so that a commit can come back without warnings?  

 

Or is there a way to allow SSH only if it is used in conjunction with SourceForge-Base, as in SSH being an Implicit Use Application for SourceForge-Base?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi Joshua

 

The dependency warning will remain as the dependency has not been met

You could create a security policy that allows ssh only to a custom category containing all the URL's used by sourceforge:

 

url destination.png

 

this is slightly different from URL filtering as it uses the category as a layer 3 destination match rather than url filtering

 

alternatively, if you know the sourceforge servers, you could add FQDN objects to the destination

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

There's an existing feature request for this capability.  Please reach out to your Palo Alto Networks Systems Engineer so your request can be tracked.

@jvalentine   Can you provide the FR#?  That will save so much time for my SE.

 

E

Depending on the exact use case, I'd look at: 1887, 2689, 4131

  • 2877 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!