- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-17-2012 12:36 AM
hey
i have some policy that gives me warning when i do commit on it so i dont realy understand the policy calculation proccedure, ill be glad if you could explain it to me.
i attached a policy screen shot, when i do install policy i get warnings for example face-book chat that it needs web-browsing and jabber to work.
lets focus about the manage zone, and the TMG is used as a proxy for almost all users.
the first rule is to allow some apps that are being blocked by the second and forth rules, but if we will look at the third rule we can see everything is allowed and going thgough URL, AV etc.. so:
at the first rule i opened facebook chat and on the third rule web-browsing is allowed so why do i get those warnings?
thank you for any help
05-17-2012 10:53 AM
Yes, but third rule have different sourcezone ("-Zone" is missing) - I guess thats why you get the dependency warning.
So in your case add web-browsing to the first rule and perhaps expand Block_Application_Filter to block stuff which can be identified as other applications based on web-browsing.
If im not mistaken PANOS 5.x will fix some of the dependency stuff.
05-18-2012 08:04 AM
but the "-zone" open web browsing on the fifth rule, the reson for this policy is that "-zone" and "maange-zone" should have different url filtering policy.
i still cant uderstand the reason for those warnings.
05-20-2012 02:36 PM
Hi,
I did a quick test on my Palo Alto device and found the same results.
I created a the following rule set:-
1) Name:- Test Rule 1:- From Trust, DMZ to Untrust, Allow: facebook-chat,facebook-base and jabber
2) Name:- Test Rule 2 :- From Trust to Untrust, Allow: web browsing , ssl
3) Name:- Test Rule 3 :- From DMZ to Untrust, Allow: web browsing , ssl
The commit will show us the dependency warning as you see in your case.
I guess since you have created a rule 1 to include 2 source zones in the single rule to allow facebook base,facebook-chat jabber the dependency rule should also include the same 2 source zones.
I do understand your purpose of addidng 2 differnt URL filtering profiles to the two dependency rules.
This can be acheived without any dependency warnings by the following rule Set:-
1) Name:- Exclude_Applications:- From Manage-zone to Any zone with TMG-Manage-Source address Allow facebook base-chat-mail-posting,dropbox etc
2) Name:- Exclude_Applications -2 :- From -Zone to Any zone with TMG-Source address Allow facebook base-chat-mail-posting,dropbox etc
3) Name:- Manage Application Control (No change to that rule)
4)Internet_Manage:- From Manage-zone to Any zone with TMG-Manage-Source address Allow ssl, web-browsing (Add-URL category- 1)
5)YVC_Application Control:- From -Zone to Any zone with TMG-Source address Allow ssl,web-browsing (Add-URL category-2)
You would not be seeing the warnings now. Let me know once you configure it and if that helps.
Regards,
Parth
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!