Palo Alto Networks Knowledgebase: What are Application Dependency Warnings?

What are Application Dependency Warnings?

Created On 07/17/19 21:11 PM - Last Updated 07/17/19 22:30 PM

Application dependency warnings are messages from the Palo Alto Networks device that can appear post commit. These warnings advise the administrator there is an application configured on a policy that may not function fully because another application (or applications) is needed.

For example, if the “facebook-base” application on a policy is enabled by itself, an application dependency warning may appear advising that “web-browsing” is required.

These application dependency warnings are derived from the research of the Palo Alto Networks development team responsible for content. The intent of these warnings is to aid the administrator in properly configuring policies, and avoid any inconsistent behavior by the application. It is important to understand these are just warnings and not errors that will fail the commit.

During the research and testing phase of the application, the Palo Alto Networks development team strives to be as thorough and detailed as possible, and will exhaustively test the services and features of the application.  All of the data gathered from the testing is rolled into the application signature and definitions on the Palo Alto Networks device.

In the customer’s environment all of the services and features of an application may not be used, or the deployment of a particular application may be limited. As a result, the administrator configuring an application on a policy may see this warning following a commit, even though the application is working perfectly in their environment. In such cases, the unused features of the application may be causing the dependency warning because they are dependant on an application that is not configured in the policy.

From PAN-OS 5.0

Applications for some protocols can be allowed without the need to explicitly allow their dependencies. The Palo Alto Networks firewall is able to do this for some applications if it can identify the application within a pre-determined point in the live session. If the application is coded by the developer in a way that the Palo Alto Networks device cannot determine the application by the pre-determined point, then the application can be blocked by one of the security rules in the list. For these applications an explicit allow for the list of dependencies is needed.

Prior to PAN-OS 5.0

In order to allow an application with dependencies, the security policy required all dependencies to be allowed as well.

owner: swhyte

  • Print
  • Copy Link

Choose Language