06-29-2018 03:53 AM
On our "SKYPE" rule I have removed web-browsing, this causes dependancy warnings on commit.
I read this "solution"
But not sure if it's correct or makes the rule insecure?
Rob
06-29-2018 09:19 AM
So looking at how they did it in the linked article I'm not a big fan of the solution. Yes this would get rid of the commit warnings but they are also allowing 'ssl' and 'web-browsing' across a large number of non-standard ports. Sometimes this is needed when you aren't running ssl-decryption due to which app-ids come across the firewall, but the way they built the rules in this example article they aren't limiting it to a set destination so this would be allowed globally which generally isn't a good idea.
07-02-2018 01:16 AM
Thought it looked a bit poor.
Will just have to tell my team to ingnore the warnings.
Cheers.
07-02-2018 10:14 AM
Depending on how your rules are built out it may be a functional option if you could limit the rules exposure either through source address specification or destination address specification. But ya I wouldn't do this globally like the example did if you can't limit the scope of the rule at all.
07-03-2018 12:54 AM
Since the rule is for SKYPE, source and dest are not fixed (well we limit it to the few PC's that are used for skype), leaving them with unrestricted web-browsing is not an option.
07-03-2018 09:36 AM
I have been racking my brain trying to figure this out. I am fairly new to palo alto, but it really seems like there should be some way to do this.
We want to have a rule that allows a group of people to do most everything in a browser. The "browser-based" application filter seemed like a perfect solution, but it requires all kinds of other things in order to alleviate the dependency warnings including ftp, smtp, etc. Obviously, this circumvents all kinds of things we don't want to allow.
My worry with "just ignore the warning" is that we will become immune to it and miss something "real" in the future.
(We also had the issue when trying to do skype)
07-03-2018 11:27 AM
There is an existing feature request for this, so I would reach out to your SE and have them add your vote to it. It's something that people have been asking for, it's just something that doesn't really fit in nicely with the way the validate process is ran.
There is certaintly a small amount of risk with just leaving the dependancy warnings, as you stated people can become immune to it and then miss something that actually does cause issues.
As for the filter that you are trying to build, I primarly recommend that people create a browsing rule that allows browsing for application 'any' with service 'application-default'. You can then build out specific application deny rules, or deny filters, depending on what you actually don't want to allow in your enviroment. Obviously this depends highly on how restrictive your organization is with allowing outside access, but it works for most.
07-04-2018 01:00 AM
Added my vote to the Feature Request.
Cheers
Rob
07-16-2018 05:55 PM
My vote was added to the feature request internally.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
