Way to ignore dependency warnings?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Way to ignore dependency warnings?

L1 Bithead

We have setup a general web browsing policy and users were being blocked from viewing github.  We allowed github-base to the policy and commited it.  They can now view github without any issues but every time we commit we recieve a warning "Application 'github-base' requires 'ssh' be allowed." .  We do not want to allow ssh outbound without limiting the destination and do not have any need for ssh to github (as just viewing M$ code).  

 

Is there a way this can be ignored or do we just have to live with any dependincy messages on commits?  

 

We are running 7.0.x if that makes a difference. 

 

 

2 accepted solutions

Accepted Solutions

Application override stops L7 ispection not custom application.

 

In your case you can create another rule.

Add web-browsing, ssh and ssl as applications.

And use custom URL category to allow this rule to match only if traffic goes to URL's specified in the custom category.

 

In this case you can get rid of the warning and don't have to allow ssh to everywhere.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

We've ran into this same issue on a lot of pre-built applications.  If you truly want to remove these warnings while also denying the application (in this case ssh), then I would create two rules as such:

 

rule 1:  deny ssh

rule 2:  allow git-hub, ssh

 

rule 1 will block ssh traffic based on your criteria. 

rule 2 allows git-hub as well as ssh, but the ssh traffic is never matched as rule 1 blocks it.  This will get rid of the warnings.

 

There should be a way to suppress applications warnings and I have suggested this to Palo Alto on a few occasions. Applications like VMWare View, for example, assume that all of your services from broker to virtual machines will live on the same servers, which in any large deployment is ludicrous.  It is typically a best practice to only open those appliations needed to a host when securing it.

 

Just my two cents,

 

Matt

 

 

 

View solution in original post

10 REPLIES 10

L5 Sessionator

The dependency waring saying to make that application to work properly you have to allow ssh as well.

These warning does not depends on PAN-OS they are dependent on application-and-threat updates.

To check more about the denpendent application use the following commands on CLI:
PA>configure
PA# show predefined application <name of the application>

 

Hope this helps!

L5 Sessionator

You can also visit the following webiste:

 

https://applipedia.paloaltonetworks.com/

L5 Sessionator

To avoide those warning you have to allow that application.

Thanks Pankaj,

 

I understand how to find the dependencies but I do not understand why to view github.com in a browser I must allow SSH?  Right now I am able to load github without allowing SSH where before it was being blocked but I just recieve the dependeny warning.

 

I guess my other option is to create a custom application.

Application override will stop the layer 7 inspection. It is not preferred unless it is very necessary.

Application override stops L7 ispection not custom application.

 

In your case you can create another rule.

Add web-browsing, ssh and ssl as applications.

And use custom URL category to allow this rule to match only if traffic goes to URL's specified in the custom category.

 

In this case you can get rid of the warning and don't have to allow ssh to everywhere.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks Radio,

 

That makes sense and seems like the best solution with the options we have.  Hopefully there will not be to many application like that.

We've ran into this same issue on a lot of pre-built applications.  If you truly want to remove these warnings while also denying the application (in this case ssh), then I would create two rules as such:

 

rule 1:  deny ssh

rule 2:  allow git-hub, ssh

 

rule 1 will block ssh traffic based on your criteria. 

rule 2 allows git-hub as well as ssh, but the ssh traffic is never matched as rule 1 blocks it.  This will get rid of the warnings.

 

There should be a way to suppress applications warnings and I have suggested this to Palo Alto on a few occasions. Applications like VMWare View, for example, assume that all of your services from broker to virtual machines will live on the same servers, which in any large deployment is ludicrous.  It is typically a best practice to only open those appliations needed to a host when securing it.

 

Just my two cents,

 

Matt

 

 

 

Thanks Matt,

 

I'm pretty sure I tried this once but then it gave a warning about one policying being shadowed by another.  I tried this again and it does not give this warning anymore.

 

Josh

The policy will only give you the shadow warning if they are exactly the same (apps, source/destination, etc.)  

 

You do have to be smart though, if you had two apps that both required SSH and App X, and you didn't want to enable SSH for either, if you have two deny SSH rules (to block this part of the app), they have to be unique or put together in the same rule.

 

-Matt

  • 2 accepted solutions
  • 8406 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!