Application Dependency Warning is displayed due to earlier deny policy with URL category configured
15571
Created On 03/10/20 07:49 AM - Last Modified 03/10/20 09:00 AM
Symptom
Application Dependency Warning is displayed due to earlier deny policy with URL category configured even though all dependent applications are allowed in the same allow policy.
The deny policy is configured as application 'any' and only uses URL category to block access to some websites.
Commit Status
---------------------
Operation Commit
Status Completed
Result Successful
Details Configuration committed successfully
Warnings vsys1
vsys1: Rule 'rule2' application dependency warning:
Application 'windows-azure-base' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'rule1'
Application 'windows-azure-base' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'rule1'
Application 'office365-consumer-access' requires 'ssl' be allowed, but 'ssl' is denied in Rule 'rule1'
Application 'office365-consumer-access' requires 'web-browsing' be allowed, but 'web-browsing' is denied in Rule 'rule1'
(Module: device)
Environment
- PAN-OS 8.1+
- Palo Alto Firewall
Cause
This is expected behavior by design. The application dependency checking only compares source, destination, applications, and users.
URL category and profiles are not included for the comparison.
Resolution
There is no action needed. The purpose of the warning is to alert users of potential unintended configuration error, not confirmed error.