App Control Exclusion is not Working
11/20/2023
43 People found this article helpful
110,913 Views
Description
Even after allowing a "User Group" or an "Address Object/Group" in a blocked application in App Control, allowed users/devices could still be blocked from accessing applications. This can be due to using internal DNS servers and these DNS servers may not have been part of the allowed group. This article explains various methods on how to allow DNS servers from getting blocked by App Control.
Cause
Many applications have "DNS Query" as one of the signature as seen in below picture. When internal DNS servers are used, DNS queries from all user devices goes through these internal DNS servers. If DNS servers are not allowed in a blocked application, DNS queries related to these applications will be blocked. This would thereby not allow the allowed users to access the required applications.
![Image](https://sonicwall.rightanswers.com/portal/app/portlets/results/onsitehypermedia/090231119275307.png?linkToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE3NTM0OTkxMDMsImlhdCI6MTcyMTk2MzEwM30.NOoYKAI9AGvEzc3GRPUBVYJLFHam664o-3t9TnlfZCg)
Resolution
The following methods can be used to allow the internal DNS servers from getting blocked by App Control-
1) If an Address Group is being used to allow a group of IP addresses from a blocked application then it would be recommended to add the DNS server IP address also to this Address Group.
2) If a User Group is being used to allow a group of users from an application, use one of the following methods,
- If the DNS server also has a user account then this user account can be added to the allowed User Group
- If the DNS server user account cannot be added to the User Group then the DNS server IP address can be allowed in two ways,
- Add the DNS server IP to the Global App Control Exclusion List or
- Instead of using App Control, use App Rules to exclude both User Group and IP Address Object/Group.
NOTE: If both "User Group" and "Address Group" are selected to be allowed from an Application (using "Included User/Groups" AND "Included IP Address Range" ), then the only traffic that matches BOTH "Address Group" AND "User Group" will be allowed. If the traffic matches either "Address Group" OR "User Group" then the traffic will not be allowed.
More information on why "Included User/Groups" and "Included IP Address Range" are used can be found in the following KB article about Exclusion Logic-
[[App Control Advance: Exclusion Logic|200422030712977]]
Related Articles
Categories
Was This Article Helpful?
YES
NO