en-US
search-icon

Knowledge Base

How to Configure Application Control Advanced feature in SonicOS Enhanced (5.8 and above)

Description

In SonicOS 5.8, the Application Firewall feature of previous SonicOS releases has been significantly enhanced with Application Control functionality. As part of this solution, the set of application relevant signatures have been extracted from the existing set of IPS signatures and placed under the realm of the Application Control feature. This change impacts the way that application control policies and dynamic objects are configured and used.

SonicOS 5.8 introduces a new user interface for application control with the new Firewall | App Control Advanced page. In some TZ models the App Control Advanced page is located under Security Services. This screen provides a simple and direct way of configuring application control rules. In SonicOS 5.8, all of the application configuration which was previously available under Security Services | Intrusion Prevention is now moved to the App Rules page, leaving IPS to handle threats and attacks. This change means that applications have their own user interface now, and you no longer have to configure them under Intrusion Prevention.

The most significant enhancement made in the configuration of application signatures is the addition of a new level configuration called Application. Hitherto, under IPS signatures were grouped under Priority, Categories and Signatures. With Application level, application signatures are grouped based on the name of the application. For eg. the 8 signatures of Google Chat have been grouped under the Application name "Google Chat" (See screenshot below). The advantage of this level of granularity is that administrators can prevent application traffic by configuring the Application rather than configure  each signature. Keeping with the example above, to block Google Chat an administrator need only enable prevention of Google Chat, instead of enabling prevention on each of the 8 signatures.

You can enable prevention or detection for a whole category of applications with one click, and can easily locate and do the same for an individual application or individual signature. Once enabled, Category, Application, or Signature is blocked or logged globally.

Resolution

Video Tutorial: Click here for the video tutorial of "How to block applications using application control advanced"

The article describes the various methods to configure Application Control on the App Control Advanced page.

Enable Application Control

  • Application Control is license based.
  • On the App Control Advanced page, check the box Enable App Control and press ENTER to save.
  • Enable App Control per zone by checking the box under Enable App Control Service on each zone.
    Image

App Control view style

Image

Application Control signatures can be viewed by Category, Application and Signature.

  • View by Category with Category set to All and Application set to All = All Categories will be listed without either Application or Signatures listed. 
  • View by Application with Category set to All and Application set to All = All Categories with their corresponding Application will be listed without listing Signatures. 
  • View by Signatures with Category set to All and Application set to All = All Categories with their corresponding Application and Signatures will be listed. 

For example, by selecting category IM with the following Viewed By settings will get the following:

 

  • Viewed By Category = Category IM is listed without either the applications or signatures for that category listed.
Image

 

  • Viewed By Application = Category IM is listed with the corresponding applications for that category and without signatures for that category listed.
Image

 

  • Viewed By Signature = Category IM is listed with the corresponding applications and signatures.
Image

Category based Application Control

 

  • Continuing with the above example of  IM we configure the following to block all IM applications.:
  • In the SonicWall Management GUI, navigate to Firewall | App Control Advanced.
  • Click on Enable App Control and press ENTER.
  • Select IM from the Category drop-down list.
  • Click on the configure button to bring up the Edit App Control Category window.
  • Select Enable under Block and Log.
  • Click on OK to save.
Image

Blocking a category while allowing an application within the category.

 

  • In this example we configure the application Jabber (Gtalk) to be allowed although the parent category IM is set to Block.
  • On the App Control Advanced page, select IM from the Category drop-down list.
  • Select Jabber (Google Talk) from the  Application drop-down list.
  • Setting Viewed By to Application will list only Jabber (Google Talk).
  • Click on the configure button either alongside the Application drop-down or under Configure, to bring up the  Edit App Control App window.
  • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
  • Click on OK to save.
Image

Blocking a signature while allowing the parent application

In this example we block the category Webmail, allow mail.google.com (gmail.com) but block embedded chat in gmail.

  • On the App Control Advanced page, select Webmail from the Category drop-down list.
  • Select Gmail (Google Mail) from the  Application drop-down list.
  • Setting Viewed By to Signature will list signatures for Gmail.
    Image
  • To block the embedded Chat within Gmail, click on the configure button alongside Signature  ID 3440 (SSL Traffic 2), to bring up the  Edit App Control App window.
  • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
  • Click on OK to save
    Image

Including / Excluding IP Address Range

When an object (eg. IM) is selected on each layer of configuring App Control the following options are there to include or exclude IP addresses:

 

Category layer
  • All: This applies to all hosts behind the SonicWall.
  • Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.
Application layer
  • Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.
  • All: This applies to all hosts behind the SonicWall.
  • Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.
Signature layer
  • Use App Settings: Selecting this option would inherit the settings configured in the parent Application.
  • All: This applies to all hosts behind the SonicWall.
  • Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

In the example below, the Category IM has been blocked for all hosts behind the SonicWall except IP address 192.168.168.3.
Image

In the example below, the Application Gmail (Google Mail) is allowed for all hosts except the IP address, 192.168.168.100. 
Image

In the example below, the Signature SSL Traffic 2 under Application Gmail (Google Mail) is blocked for the IP address, 192.168.168.2.
Image

Including / Excluding Users / User Groups

Similar to including or excluding IP addresses, inclusion / exclusion of Users or User groups on each layer of App Control can be configured in the following manner:

Category layer
  • All: This applies to all users behind the SonicWall.
  • Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.
Application layer
  • Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.
  • All: This applies to all users behind the SonicWall.
  • Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.
Signature layer
  • Use App Settings: Selecting this option would inherit the settings configured in the parent Application.
  • All: This applies to all users behind the SonicWall.
  • Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

App Control Logs

When a category, application or a signature is blocked, logs similar to the ones below can be seen under the Log | View page.To be able to see Application Control logs make sure the following are true:

1. The log category Application Control is checked for logging under Log | Categories.
2. When configuring a category, application or a signature, make sure the option Log is set to Enable.

Image 


Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

The article describes the various methods to configure Application Control on the App Control Advanced page.

Enable Application Control

Login to your Sonicwall management page and click on Manage tab on top of the page,

  • Navigate to Rules | Advanced Application Control page, on right side enable Enable App Control checkbox under App Control Global Settings section.
  • Click Accept button to save settings.

Note: Enable App Control per zone by checking the box under Enable App Control Service on each zone.
Image

App Control view style

Image

Application Control signatures can be viewed by Category, Application and Signature.

  • View by Category with Category set to All and Application set to All = All Categories will be listed without either Application or Signatures listed. 
  • View by Application with Category set to All and Application set to All = All Categories with their corresponding Application will be listed without listing Signatures. 
  • View by Signatures with Category set to All and Application set to All = All Categories with their corresponding Application and Signatures will be listed. 

For example, by selecting category IM with the following Viewed By settings will get the following:

  • Viewed By Category = Category IM is listed without either the applications or signatures for that category listed.
Image

 

  • Viewed By Application = Category IM is listed with the corresponding applications for that category and without signatures for that category listed.
Image

 

  • Viewed By Signature = Category IM is listed with the corresponding applications and signatures.
Image

 

Category based Application Control

 

Login to your Sonicwall management page and click on Manage tab on top of the page

  • Navigate to Rules | Advanced Application Control page, on right side enable Enable App Control checkbox under App Control Global Settings.
  • Under App Control Advanced Section, select IM from Category drop-down list.
  • Click on the configure button to bring up the Edit App Control Category window.
  • Select Enable under Block and Log.
  • Click on OK to save.
Image

 

Blocking a category while allowing an application within the category.

In this example we configure the application Kakao Talk to be allowed although the parent category IM is set to Block.

  • On the App Control Advanced Page, select IM from Category drop-down list.
  • Select Kakao Talk from the  Application drop-down list.
  • Setting Viewed By to Application will list only Kakao Talk.
  • Click on the configure button either alongside the Application drop-down or under Configure, to get  Edit App Control App window.
  • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
  • Click on OK to save.
                                               Image

 

Blocking a signature while allowing the parent application

In this example we block the category Webmail, allow mail.google.com (gmail.com) but block embedded chat in gmail.

On the App Control Advanced page, select Webmail from the Category drop-down list.

Select Google Mail (Gmail) from the  Application drop-down list.

Setting Viewed By to Signature will list signatures for Gmail.
Image

To block the embeded Chat within Gmail, click on the configure button alongside Signature  ID 7624(SSL Traffic 2), to bring up the  Edit App Control App window.

Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.

Click on OK to save
Image

Including / Excluding IP Address Range

When an object (eg. IM) is selected on each layer of configuring App Control the following options are there to include or exclude IP addresses:

 

Category layer

All: This applies to all hosts behind the SonicWall.

Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

Application layer

Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

All: This applies to all hosts behind the SonicWall.

Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

Signature layer

Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

All: This applies to all hosts behind the SonicWall.

Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

In the example below, the Category IM has been blocked for all hosts behind the SonicWall except IP address 192.168.168.3.
Image

In the example below, the Application Gmail (Google Mail) is allowed for all hosts except the IP address, 192.168.168.100. 
Image

In the example below, the Signature SSL Traffic 2 under Application Gmail (Google Mail) is blocked for the IP address, 192.168.168.2.
Image

Including / Excluding Users / User Groups

Similar to including or excluding IP addresses, inclusion / exclusion of Users or User groups on each layer of App Control can be configured in the following manner:

Category layer

All: This applies to all users behind the SonicWall.

Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

Application layer

Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

All: This applies to all users behind the SonicWall.

Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

Signature layer

Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

All: This applies to all users behind the SonicWall.

Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.


App Control Logs

When a category, application or a signature is blocked, logs similar to the ones below can be seen under the Investigate tab | Event Logs.To be able to see Application Control logs make sure the following are true:

1. The log category Application Control is checked for logging under Manage tab Log Settings | Base Settings page| Categories.
2. When configuring a category, application or a signature, make sure the option Log is set to Enable.

Image