- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-13-2017 08:15 AM
Issue background:
We have a policy for Application Whitelist of allowed applications on the internet firewall. SourceForge-Base is one of these applications. SourceForge-Base had dependencies on SSL, Web-Browsing, and SSH. We allow SSL and Web-Browsing, but do not wish to allow SSH to the entire outbound internet. Our users traffic works fine with only SSL and Web-Browsing being allowed in conjunction with SourceForge-Base when they access SourceForge.
Without knowing the IP ranges utilized by SourceForge to allow that in a separate policy by service port, (also without utilizing SSL decryption so an FQDN is not an option), we have no way to allow the traffic other than by application.
Is there a way to hide or suppress persistent application dependency warnings in specific so that a commit can come back without warnings?
Or is there a way to allow SSH only if it is used in conjunction with SourceForge-Base, as in SSH being an Implicit Use Application for SourceForge-Base?
02-14-2017 02:33 AM
Hi Joshua
The dependency warning will remain as the dependency has not been met
You could create a security policy that allows ssh only to a custom category containing all the URL's used by sourceforge:
this is slightly different from URL filtering as it uses the category as a layer 3 destination match rather than url filtering
alternatively, if you know the sourceforge servers, you could add FQDN objects to the destination
02-15-2017 12:34 PM - edited 02-15-2017 12:35 PM
There's an existing feature request for this capability. Please reach out to your Palo Alto Networks Systems Engineer so your request can be tracked.
02-15-2017 01:46 PM
Depending on the exact use case, I'd look at: 1887, 2689, 4131
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!