When you want to allow the linkedin-base application with a specific Security Policy Rule, for example Linkedin-Rule, the Implicit applications it depends to are automatically allowed by the firewall, this means that the Security Policy Rule Linkedin-Rule that matches the linkedin-base application will automatically allow the web-browsing and SSL applications.
Below the Security Policy Rule named Linkedin-Rule that allows only the linkedin-base application.
The Traffic logs shown that the firewall allows the Implicit application web-browser using the same Security Policy Rule Linkedin-Rule.
But when you allow the linkedin-base application in Security Policy Rule, the subsequent linkedin applications such as linkedin-mail, linkedin-downloading etc…are not allowed by this rule.
From the Traffic logs, we can see that the user platini cannot use the linkedin-downloading and linkedin-mail applications, both are denied by the default rule interzone-default.
If you want to allow all linkedin applications included in the following list such as linkedin-downloading, linkedin-mail, linkedin-uploading, linkedin-learning etc... You need to use the parent application linkedin as shown below, or you can specifiy only some applications.
In this example, the Security Policy Rule is ajusted to allow all linkedin applications using the parent application linkedin instead of linkedin-base.
Note : some applications needs to be explicitly allowed as shown by the DEPENDS ON field, the imap and smtp-base applications must be explicitly allow by checking and adding these application into this Rule. Imap and smtp-base applications must be added to this rule for linkedin-intro application.
Now the Security Policy Rule Linkedin-Rule is modified to use the parent application linkedin instead of linkedin-base application.
Now the user platini can use the linkedin-downloading and linkedin-mail applications as shown below as well as linkedin-learning, linkedin-uploading, linkedin-intro etc…
The Security Policy Rule Linkedin-Rule can now allow all linkedin applications because the parent application linkedin is used as a match criteria instead of linkedin-base.
Now what if we want to deny specific linkedin application such as linkedin-posting. In this case we need to add a specific Rule to match the linkedin-posting application with the Deny action above the Security Rule Linkedin-Rule as shown below.
From the Traffic logs, we can see that the linkedin-posting application is blocked by the Security Policy Rule Linkedin-Posting-Rule for the same user platini.
Because the Application Shift feature on Palo Alto Firewall, the traffic of the user platini transitions from web-browser application to more specific application linkedin-posting.
In the Traffic logs, the entry in the blue color shown that the Security Rule Linkedin-Rule allows the web-browsing application, later the same user transitions to more specific application so it is passed through the list of security rules again to see if there is a match. In this scenario, the same user is transitioning to linkedin-posting application and the firewall checks again the Rules and finds a match with the Security Policy Rule Linkedin-Posting and applies the action Deny.
