Palo Alto Networks Knowledgebase: Does implicitly allowed applications in security policies allow all traffic matching that implicit application

Does implicitly allowed applications in security policies allow all traffic matching that implicit application

889
Created On 04/16/19 17:21 PM - Last Updated 04/16/19 17:26 PM
Security Policy Policy PAN-OS
Question
Read the following document for details on Application Dependency : TIPS & TRICKS: WHAT IS APPLICATION DEPENDENCY?

It is a common concern if an implicitly allowed application will allow all traffic matching that application. Lets discuss an example:

Policy 1: "Allow Sharepoint" 
    Source         : any
    Destination  : any
    Application   : Sharepoint-online (Implicit : ssl, web-browsing)
    Action           : Allow
    
Policy 2: "Deny All" 
    Source         : any
    Destination  : any
    Acton           : Deny
    
What will happen to SSL or Web-Browsing traffic which is not part of Sharepoint application?
 


Environment
This article is applicable for all PanOS versions.
 


Answer
Implicit application matching is used to allow sessions that start as the implicit app, but end as the explicit app to match the same policy.

Below examples will help to clarify the above statement:

Case 1: Sharepoint Online traffic (Clear Text HTTP)
  • TCP 3 way handshake (Allowed by Policy 1 because at this time we dont know the application)
  • Client sends HTTP Get request, firewall inspects this and application on session will change to Web-Browsing.
  • Policy lookup happens to check if web-browsing is allowed explicitly (No)
  • Policy lookup happens to check if web-browsing is allowed implicity (Yes by Policy 1)
  • Application changes to SharePoint-Online after some time.  It is allowed by same policy which allowed web-browsing implicitly.


Case 2: User is opening www.example.com 
  • TCP 3 way handshake (Allowed by Policy 1 because at this time we dont know the application)
  • Client sends HTTP Get request, firewall inspects this and application on session will change to Web-Browsing.
  • Policy lookup happens to check if web-browsing is allowed explicitly (No)
  • Policy lookup happens to check if web-browsing is allowed implicity (Yes by Policy 1)
  • After some more app id, application still remains web-browsing. 
  • Another policy lookup happens to check for policy which explicitly allows web-browsing.
  • Hits policy 2 and gets denied.


Case 3: User is opening https://www.facebook.com 
  • TCP 3 way handshake (Allowed by Policy 1 because at this time we dont know the application)
  • Client sends Client Hello, application will change to SSL.
  • Policy lookup happens to check if SSL is allowed explicitly (No)
  • Policy lookup happens to check if SSL is allowed implicity (Yes by Policy 1)
  • After some more app id, application changes to facebook-base.
  • Another policy lookup happens to check for policy which explicitly allows facebook-base.
  • Hits policy 2 and gets denied.

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLLICA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments