6/24/2014 How to Check if an Application Needs to have Ex...

| Palo Alto Networks Live

All Places > Knowledge Base > Documents

How to Check if an Application Needs to

have Explicitly Allowed Dependency
Apps Version 9

created by ialeksov on Apr 12, 2014 5:51 AM, last modified by panagent on Apr 25, 2014 3:35 PM

PAN-OS 5.0, 6.0

Overview
Prior to PAN-OS 5.0, in order to allow an application with dependencies, the security policy required all
dependencies to be allowed as well.

Since PAN-OS 5.0, applications for some protocols can be allowed without need to explicitly allow their
dependencies. The Palo Alto Networks firewall is able to do this for some applications if it can identify the
application within a pre-determined point in the live session. If the application is coded by the developer in
a way that the Palo Alto Networks device cannot determine the application by the pre-determined point, then
the application can be blocked by one of the security rules in the list. For these applications an explicit allow
for the list of dependencies is needed.

For the purpose of explaining the process, the following terminology is usually applied:
Enabler app: The App-ID that the session initially matches (e.g. web-browsing)
Dependent app: The App-ID that the session later matches (e.g. facebook-base)

Note: Always check the dependencies for the applications if planning to allow them. Also, check the
implicitly used applications for the dependent application, so that the correct policies can be constructed.

Details
For the above mentioned applications that can be correctly identified at a pre-determined point in the live
session, the firewall implicitly will allow the enabler app. For this reason the firewall uses the uses-apps
and implicit-uses-apps part of the content updates metadata for the given application.
For applications that have a list of apps in the implicit-uses-apps, those applications will be implicitly
allowed and no separate security rule is needed to allow them.
For applications that do not have a list of apps in the implicit-uses-apps and have list of apps in the
uses-apps part of the application definition, there is a need to explicitly allow them (the enabler
applications) so that the dependent application is allowed. This can be added in a separate security rule, or
in the same rule that is allowing the dependent app.

The application definition can be checked to see if there is a need to explicitly allow the enabler
applications. Run with the following command from configuration mode:
#showpredefinedapplication<nameofapp>

Steps
As examples for this we will use the "facebook-base" and the "office-on-demand" applications.

Facebook-base

https://live.paloaltonetworks.com/docs/DOC-6900 1/5
6/24/2014 How to Check if an Application Needs to have Ex... | Palo Alto Networks Live

Application definition:
#showpredefinedapplicationfacebookbase
facebookbase{
ottawanamefacebook
categorycollaboration
subcategorysocialnetworking
technologybrowserbased
description"......THISPARTISOMITTED....."
algno
appidentyes
vulnerabilityidentyes
evasivebehaviorno
consumebigbandwidthno
usedbymalwareyes
abletotransferfileyes
hasknownvulnerabilityyes
tunnelotherapplicationyes
pronetomisuseno
pervasiveuseyes
perdirectionregexno
denyactiondropreset
rundecoderno
cachableno
references{
Wikipedia{
linkhttp://en.wikipedia.org/wiki/Facebook
}
}
default{
porttcp/80,443
}
useapplications[sslwebbrowsing]
tunnelapplications[facebookappsfacebookchatfacebookfilesharing
facebookmailfacebookpostingfacebooksocialplugininstagram]

implicituseapplications[sslwebbrowsing]
applicabledecodershttp
risk4
applicationcontainerfacebook
}
[edit]

To allow facebook-base, only the security policy that has the application facebook-base is needed. There is
no need to allow the ssl and web-browsing because they are implicitly allowed based, on the following part
in the definition of the application:
"useapplications[sslwebbrowsing]

https://live.paloaltonetworks.com/docs/DOC-6900 2/5
6/24/2014 How to Check if an Application Needs to have Ex... | Palo Alto Networks Live

implicituseapplications[sslwebbrowsing]"

For facebook-base there is only the allow-facebook security rule that allows only facebook-base. There are
no explicit rules to allow web-browsing and ssl. On the contrary, for the purpose of the test, a deny rule for
web-browsing and ssl is used:

The logs show that facebook is allowed:

Office-on-demand
Application definition:
#showpredefinedapplicationofficeondemand
officeondemand{
categorybusinesssystems
subcategoryofficeprograms
technologybrowserbased
description"......THISPARTISOMITTED....."
algno
appidentyes
virusidentyes
spywareidentyes
filetypeidentyes
vulnerabilityidentyes
evasivebehaviorno
consumebigbandwidthyes
usedbymalwareno
abletotransferfileyes
hasknownvulnerabilityyes
tunnelotherapplicationno
pronetomisuseno
pervasiveuseyes
perdirectionregexno
denyactiondropreset
rundecoderno
cachableno
fileforwardyes
references{
"OfficeonDemand"{
linkhttp://office.microsoft.com/enus/support/useofficeonanypcwith
officeondemandHA102840202.aspx

https://live.paloaltonetworks.com/docs/DOC-6900 3/5
6/24/2014 How to Check if an Application Needs to have Ex... | Palo Alto Networks Live

}
}
default{
porttcp/80
}
useapplications[msoffice365basesharepointonlinesslwebbrowsing]
applicabledecodershttp
risk3
applicationcontainermsoffice365
}
[edit]

For office-on-demand, the useapplications[msoffice365basesharepointonlinessl

webbrowsing]can be seen, and there is no implicituseapplicationslist with the same
applications. This will mean that all of the applications in the list need to be explicitly allowed, so that all the
features of office-on-demand will work correctly.

The traffic can be seen as allowed for web-browsing and for office-on-demand. The application started as
web-browsing and was correctly identified by the Palo Alto Networks DFA, and thus changed to "office-on-
demand".

If web is denied in a security policy, the connections can be seen as not established, because the rule to
allow the office-on-demand application will never be hit.

owner: ialeksov
https://live.paloaltonetworks.com/docs/DOC-6900 4/5
6/24/2014 How to Check if an Application Needs to have Ex... | Palo Alto Networks Live

362 Views Categories: Objects & Security Profiles , Policies

Tags: dependency, app-id, facebook-apps, dependencies, panos-5.0, office365, panos-6, dfa, office-on-demand,
facebook-base

Average User Rating

(3 ratings)

0 Comments

There are no comments on this document.

1.866.320.4788
PrivacyPolicy LegalNotices SiteIndex Subscriptions
Copyright20072013PaloAltoNetworks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-6900 5/5