App Control Advance: Exclusion Logic

07/29/2021 140 6600

DESCRIPTION:

Many a times, App control application/signature exclusion does not work as configured.

The logic for exclusion which firewall understands is if category is blocked completely , then it will skip the checking for exclusion/inclusion list of its corresponding applications. Similarly, if application is blocked completely, then it will skip the checking for the exclusion/inclusion list of its corresponding signatures.

 EXAMPLE: Lets take an example of 'Multimedia' category which has been blocked completely through application control advanced but we need to access YouTube website.

If we directly go to the application YouTube and configure it with an exclusion list, it will fail to execute the exclusion list because at the category level it has been blocked and hence firewall will not check the exclusion list of individual applications.

• SonicOS 7.X
  
  

• SonicOS 6.5
  
  
  

• Due to this, YouTube will still be blocked for all devices as the exclusion logic is not applied.
  

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

A reverse logic should be implemented to achieve these kind of requirements. Lets take the same example where multimedia category is still blocked and YouTube needs to be allowed.

• Instead of configuring the exclusion list, we will configure a reverse logic where we will configure the inclusion list as shown below. Here, firewall will check the exclusion/inclusion list as now the block has been disabled which is different than its parent category level. 
  
  
• Now the "testpc" device should be able to access YouTube.
  
  
  NOTE: Same logic can be applied for signature level as well if we have specific signature which needs to be excluded but its parent application needs to be blocked.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

A reverse logic should be implemented to achieve these kind of requirements. Lets take the same example where multimedia category is still blocked and YouTube needs to be allowed.

• Instead of configuring the exclusion list, we will configure a reverse logic where we will configure the inclusion list as shown below. Here, firewall will check the exclusion/inclusion list as now the block has been disabled which is different than its parent category level.
  
  
  NOTE: Same logic can be applied for signature level as well if we have specific signature which needs to be excluded but its parent application needs to be blocked.