Why Are There Application-Dependency Warnings for Rules Following a Rule with Action Deny Matching URL Category?

Why Are There Application-Dependency Warnings for Rules Following a Rule with Action Deny Matching URL Category?

9616
Created On 07/19/19 21:51 PM - Last Modified 03/03/26 10:04 AM


Question


  • Why are application dependency warnings seen referencing a rule that doesn't block applications but blocks traffic to a specific URL category?
User-added image

User-added image

Environment


  • NGFW
  • Supported PAN-OS versions
  • Security Policy Rule blocking traffic to a URL Category with application any
  • Security Policy Rules below that rule allow traffic for specified applications  (ie, not any) 

Answer


  1. This is expected behavior
  2.  The URL Category column in the security policy rule is not considered when building the masks for the application dependency warnings.
  3. Since the URL Category block rule has the Application of "any," the application dependency warning gets triggered for all rules below that reference specific applications, even though those applications are not blocked. 
  4. Workaround would be to move the URL Category block rule below application allow rules. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMP6CAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language