Application Dependency or "Depends on" (how it is listed inside of the Application details inside of Objects > Applications > application detail window) is a list of applications that are required for this application to work properly.
Why is it important to you?
If you do not allow the application and its dependency through the Palo Alto Networks firewall, then the application will not work.
Note: There is also a "Implicitly Use Applications" field that you need to recognize. The "Implicitly Use Applications" is a subset of "Depends on," and the dependent applications are implicitly allowed. The application still does depend on these applications, however they do NOT need to be explicitly permitted in security policy. Dependent applications can be allowed implicitly, when the firewall is able to determine the correct application by a specific point in the session.
For more information on checking Application Dependency, please see this doc:
Let's take two applications as examples: facebook-base and facebook-posting.
PAN-OS 10.0 Web Interface - facebook-base highlighting Depends On action
Looking at the application detail window for facebook-base, you can see 2 things listed:
'Depends on' is blank. This means that it does not need any other applications to be allowed in the same rule for this to work.
'Implicitly Uses' has SSL and web-browsing listed. This means that if you allow facebook-base, that it will also be allowing ssl and web-browsing applications implicitly.
This mean, if you allow facebook-base in a rule, no other applications are needed:
PAN-OS 10.0 Web Interface Policy
PAN-OS 10.0 Web Interface - facebook-Posting highlighting Depends On action
Looking at the application detail window for 'facebook-posting, you can see 2 things listed.
'Depends on' has the following applications listed: facebook-base, facebook-apps and facebook-chat. This means that in order for this to work, one or more of the these applications need to be allowed in the same rule.
'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.
So, in order to allow the facebook-posting application, you will have to add the 'Depends-on' applications in the same rule. You can immediately select them when you select facebook-posting application and add them to your rule as displayed below (or you can also search and add them individually through the applications):
PAN-OS 10.0 Web Interface - facebook-base highlighting Depends On actions and add to current role
You'll end up with a rule that looks like this:
PAN-OS 10.0 Web Interface - End Result for Applications
When the first TCP packet is received (SYN), the firewall must setup a session. Since the application can not be detected on a TCP session until at least one data packet traverses the device, the application will be incomplete. For the firewall to determine if it should even allow the SYN packet through it must do a security policy lookup.
Because the application is not known when the SYN packet is received the application portion of the security policies can not be applied. As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol. The first policy, which matches these 6 tuples, will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified.
It is always a good idea to look at any new application details first to determine what the security rule might need to allow the application to work properly.