I've run in to a few instances where I need/want to allow a specific App with a specific policy, but it has a dependency I don't want to include with the same policy. I'm wondering if I need to rethink how I arrange these rules.
The most recent example is actually Palo Alto Traps. There is a traps-management-service AppID. I've setup a rule for "Palo Alto Traps" that includes this AppID (as recommended in https://docs.paloaltonetworks.com/traps/tms/traps-management-service-admin/get-started-with-tms/enab.... I've set it to allow all traffic matches the app with no filtering policies, avoiding the need to enter in all the possible URLs/IPs in the rule. However, it has a websockets requirement, which I do not have explicitly listed anywhere. Commits give me a dependency warning as expected.
If I add "websockets" on to this rule, the rule will match a lot of non-Traps traffic and potentially allow a lot of connections I don't want to allow. How do I go about ensuring I don't erroneously block Traps traffic but without globally allowing websockets connections to any site?
I do not have any experience with Traps, but I do have a lot of experience with app dependencies. I can tell you that you can put in the app-ids successfully without having to have all of the dependencies in place. I have a pair of firewalls that I get nearly 100 warnings related to app-id dependencies. There are several apps with the dependency of web-browsing that I was just not going to add to the rules. Luckily, I was working with PAN Professional Services for this project and confirmed with the Engineer that the dependencies are not "required", they are "recommended", no matter how annoying the warnings are. He did add, if you are having issues related to those rules, you may have to add the dependencies for troubleshooting, but they are not required to run properly. I do have to say, I do not like the warning that I get with each commit, as I need to read through to make sure nothing is new in there from the latest changes, but it is better than adding in all of the dependencies and opening more than I want open.
Hope that was helpful
Talk to your SE / Account team. They might have some information for you regarding Security Rule warnings, App Dependencies and how they're reported.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!