Prior to PAN-OS 5.0, in order to allow an application with dependencies, the security policy required all dependencies to be allowed as well.
Since PAN-OS 5.0, applications for some protocols can be allowed without need to explicitly allow their dependencies. The Palo Alto Networks firewall is able to do this for some applications if it can identify the application within a pre-determined point in the live session. If the application is coded by the developer in a way that the Palo Alto Networks device cannot determine the application by the pre-determined point, then the application can be blocked by one of the security rules in the list. For these applications an explicit allow for the list of dependencies is needed.
For the purpose of explaining the process, the following terminology is usually applied:
Enabler app: The App-ID that the session initially matches (e.g. web-browsing)
Dependent app: The App-ID that the session later matches (e.g. facebook-base)
Note: Always check the dependencies for the applications if planning to allow them. Also, check the implicitly used applications for the dependent application, so that the correct policies can be constructed.
For the above mentioned applications that can be correctly identified at a pre-determined point in the live session, the firewall implicitly will allow the enabler app. For this reason the firewall uses the “uses-apps” and “implicit-uses-apps” part of the content updates metadata for the given application.
For applications that have a list of apps in the “implicit-uses-apps”, those applications will be implicitly allowed and no separate security rule is needed to allow them.
For applications that do not have a list of apps in the “implicit-uses-apps” and have list of apps in the “uses-apps” part of the application definition, there is a need to explicitly allow them (the enabler applications) so that the dependent application is allowed. This can be added in a separate security rule, or in the same rule that is allowing the dependent app.
The application definition can be checked to see if there is a need to explicitly allow the enabler applications. Run with the following command from configuration mode:
> configureEntering configuration mode # show predefined application <name-of-app>
As examples for this we will use the "facebook-base" and the "office-on-demand" applications.
To allow facebook-base, only the security policy that has the application facebook-base is needed. There is no need to allow the ssl and web-browsing because they are implicitly allowed based, on the following part in the definition of the application:
For facebook-base there is only the allow-facebook security rule that allows only facebook-base. There are no explicit rules to allow web-browsing and ssl. On the contrary, for the purpose of the test, a deny rule for web-browsing and ssl is used:
list with the same applications. This will mean that all of the applications in the list need to be explicitly allowed, so that all the features of office-on-demand will work correctly.
The traffic can be seen as allowed for web-browsing and for office-on-demand. The application started as web-browsing and was correctly identified by the Palo Alto Networks DFA, and thus changed to "office-on-demand".
If web is denied in a security policy, the connections can be seen as not established, because the rule to allow the office-on-demand application will never be hit.