I've run in to a few instances where I need/want to allow a specific App with a specific policy, but it has a dependency I don't want to include with the same policy. I'm wondering if I need to rethink how I arrange these rules. The most recent example is actually Palo Alto Traps. There is a traps-management-service AppID. I've setup a rule for "Palo Alto Traps" that includes this AppID (as recommended in https://docs.paloaltonetworks.com/traps/tms/traps-management-service-admin/get-started-with-tms/enable-access-tms). I've set it to allow all traffic matches the app with no filtering policies, avoiding the need to enter in all the possible URLs/IPs in the rule. However, it has a websockets requirement, which I do not have explicitly listed anywhere. Commits give me a dependency warning as expected. If I add "websockets" on to this rule, the rule will match a lot of non-Traps traffic and potentially allow a lot of connections I don't want to allow. How do I go about ensuring I don't erroneously block Traps traffic but without globally allowing websockets connections to any site?
... View more