PaloAlto Dependencies of Application Identification
In order to carry out the Application Identification PaloAlto swim a communication to some extent, and identify in the meantime.Therefore, unlike the normal FW, it is possible to block the communication after establishing the TCP connection.
And it also can identify communications such as facebook , in that case http communication is performed first, it makes a determination of whether or not followed by facebook.
In such a case, it is called App "facebook-base" is dependent on the App "web-browsing (http)", .
About old PAN-OS of PaloAlto, it does not work configuraing App field in Security policy with only facebook-base, but web-browsing is needed.
In PAN-OS 5.0 or later, however, for some of the basic applications, such as web-browsing, even if there is a dependency relationship now may not be explicitly written.In other words, can you specify only facebook-base.
As a result, security has been greatly improved.This is because, even if able to identify the facebook, because we can not be is that denial or permission, aimed at only facebook until now.(http also a denial or permission setting companion)
Dependency itself can be found in the following page, but it is not written whether or not to explicitly shown in this page.
So, it needs to be confirmed in the following procedure.
- To log in the CLI to PaloAlto
- Type # show predefined application
- To confirm the item of the "use-applications," "implicit-use-applications"
2 will put the application name, such as facebook-base.
About 3, "use-applications" indicates app name that is dependent, "implicit-use-applications" indicates app name that is dependent and without explicit.In other words, if "use-applications" and "implicit-use-applications" is the same, you do not have to configure application that is dependent explicitly, and if there is no "implicit-use-applications" field, you need to configure all application that is dependent.