Dependency Icon

PAN-OS 9.1+ New Locations for Application Dependency Visibility

Starting with PAN-OS version 9.1, Palo Alto Networks introduced enhanced visibility into application dependencies. This helps administrators identify and include required dependent applications in Security Policy rules, preventing potential traffic drops or policy mismatches caused by missing dependencies.

Understanding where this information is presented is crucial for effective policy creation and commit validation.

Where Application Dependencies are Reported (PAN-OS 9.1+)

The two primary locations where PAN-OS now actively reports application dependency information are:

1. App Dependency Tab in the Commit Status Window

  • When you initiate a commit (on Panorama or a firewall), PAN-OS validates the configuration.
  • If a Security Policy rule includes an application that relies on other applications (dependencies) which are *not* also explicitly included in the same rule (or allowed by another rule), a warning is generated.
  • This warning, along with the specific missing dependencies, is displayed in the App Dependency tab within the Commit Status window.
  • This allows administrators to review and add the missing dependent applications to the relevant rule(s) *before* finalizing the commit, thus preventing potential issues.

2. Application Tab in the Security Policy Rule Creation/Editing Window

  • While creating a new Security Policy rule or editing an existing one, navigate to the Application tab.
  • When you add an application to the rule that has known dependencies, the user interface will often display a warning or notification directly within this tab.
  • The UI typically provides an option to easily add the identified dependent applications to the rule alongside the parent application you initially selected.
  • This proactive notification helps ensure policies are complete from the outset.

Locations Where Dependencies Are NOT Actively Reported (in this context)

  • Policy Optimizer’s Rule Usage page: This tool focuses on analyzing actual traffic logs to identify used/unused rules, rules using port-based matching instead of App-ID, and potential policy cleanup or optimization opportunities. It does not specifically highlight application dependency requirements based on the configured applications in the rule.
  • Objects > Applications browser pages: While this section provides details about individual applications (including listing their dependencies if you view the application details), it doesn't actively *warn* you about missing dependencies in the context of specific policy rules you are creating or committing. You need to manually check the application details here.
PAN-OS 11.x Context: These features introduced in PAN-OS 9.1 continue to exist and function in later versions like PAN-OS 11.0 and 11.1. While tools like Policy Optimizer and Best Practice Assessment (BPA) have been enhanced, the core locations for being warned about missing dependencies during rule creation and commit remain the Commit Status window and the Application tab within the policy rule itself.

Application Dependency Quiz (5 Questions)

1. Starting with which PAN-OS version was application dependency visibility significantly enhanced in the areas discussed?

2. During which firewall operation does the "App Dependency" tab appear in the Status window to warn about missing dependencies?

3. Where else might you see a direct warning about a required application dependency while actively configuring policies?

4. What is the primary benefit of these application dependency visibility features?

5. Does the Policy Optimizer's Rule Usage page specifically show application dependency requirements for rules?