Parent Application Subtypes automatically allowed?

cancel
Showing results for 
Search instead for 
Did you mean: 

Parent Application Subtypes automatically allowed?

L3 Networker

Hi All,

 

In a security policy, if I allow Application "ipsec" with service as "application-default" then will the firewall also allow

- ipsec-esp

- ipsec-esp-udp

- ipsec-ah

- ike ?

 

If you see applipedia, and if you search "ipsec" then you see the above mentioned 4 applications as sub-types of the application "ipsec". Hence the question.

 

Same is also the case with "snmp".

 

Thanks and Regards,

 

1 ACCEPTED SOLUTION

Accepted Solutions

If you look under the 'Applications' tab under 'Objects' (I think this is where you were pulling the screenshots, unless you looked them up under applipedia) then you'll notice that in the case of snmp you have four sub-applications underneath. By allowing snmp by default you also allow all of those child applications. 

The same can be said about ipsec, where you will also allow ike, ipsec-ah,ipsec-esp, and ipsec-esp-udp. That being said if you solely allow ipsec-esp that will not allow anything else to actually pass because that process by itself does not call on any dependancies 

 

View solution in original post

5 REPLIES 5

L6 Presenter

You do have application dependency. For your example, if you do want to allow let's say snmpv2 you must also allow snmp-base app in order for this to work. snmp application includes all snmp versions.

 

snmp.PNG

Hi

 

My Question is other way around.

I want to know if I allow, "snmp" under Application in my security policy, will the firewall also automatically allow "snmpv1" , "snmpv2", "snmpv3" and "snmp-base".

 

Similarly, if I allow "ipsec" under Application in my security policy, will the firewall also automatically allow "ipsec-ah", "ipsec-esp", "ipsec-esp-udp" and "ike" ?

 

 

 

 

q1.jpg

 

 

 

yes it will 

If you look under the 'Applications' tab under 'Objects' (I think this is where you were pulling the screenshots, unless you looked them up under applipedia) then you'll notice that in the case of snmp you have four sub-applications underneath. By allowing snmp by default you also allow all of those child applications. 

The same can be said about ipsec, where you will also allow ike, ipsec-ah,ipsec-esp, and ipsec-esp-udp. That being said if you solely allow ipsec-esp that will not allow anything else to actually pass because that process by itself does not call on any dependancies 

 

Thanks ! Exactly what I was looking for.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!