policy installation proccess

L4 Transporter

policy installation proccess


i have some policy that gives me warning when i do commit on it so i dont realy understand the policy calculation proccedure, ill be glad if you could explain it to me.

i attached a policy screen shot, when i do install policy i get warnings for example face-book chat that it needs web-browsing and jabber to work.

lets focus about the manage zone, and the TMG is used as a proxy for almost all users.

the first rule is to allow some apps that are being blocked by the second and forth rules, but if we will look at the third rule we can see everything is allowed and going thgough URL, AV etc.. so:

at the first rule i opened facebook chat and on the third rule web-browsing is allowed so why do i get those warnings?

thank you for any help

Tags (1)
L6 Presenter

Yes, but third rule have different sourcezone ("-Zone" is missing) - I guess thats why you get the dependency warning.

So in your case add web-browsing to the first rule and perhaps expand Block_Application_Filter to block stuff which can be identified as other applications based on web-browsing.

If im not mistaken PANOS 5.x will fix some of the dependency stuff.

L4 Transporter

but the "-zone" open web browsing on the fifth rule, the reson for this policy is that "-zone" and "maange-zone" should have different url filtering policy.

i still cant uderstand the reason for those warnings.

L4 Transporter


I did a quick test on my Palo Alto device and found the same results.

I created a the following rule set:-

1) Name:- Test Rule 1:-  From Trust, DMZ  to Untrust,   Allow: facebook-chat,facebook-base and jabber

2) Name:- Test Rule 2 :-  From Trust to Untrust,   Allow: web browsing , ssl

3) Name:- Test Rule 3 :-  From DMZ to Untrust,   Allow: web browsing , ssl

The commit will show us the dependency warning as you see in your case.

I guess since you have created a rule 1 to include  2 source zones in the single rule to allow facebook base,facebook-chat jabber the dependency rule should also include the same 2 source zones.

I do understand your purpose of addidng 2 differnt URL filtering profiles to the two dependency rules.

This can be acheived without any dependency warnings by the following rule  Set:-

1) Name:- Exclude_Applications:- From Manage-zone to Any zone with TMG-Manage-Source address Allow facebook base-chat-mail-posting,dropbox etc

2) Name:- Exclude_Applications -2 :- From -Zone to Any zone with  TMG-Source address Allow facebook base-chat-mail-posting,dropbox etc

3) Name:- Manage Application Control (No change to that rule)

4)Internet_Manage:- From Manage-zone to Any zone with TMG-Manage-Source address Allow ssl, web-browsing (Add-URL category- 1)

5)YVC_Application Control:- From -Zone to Any zone with TMG-Source address Allow ssl,web-browsing (Add-URL category-2)

You would not be seeing the warnings now. Let me know once you configure it and if that helps.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!