How can I configure Application Control Advanced feature in SonicOS Enhanced?
03/26/2020 
1787 
41573
DESCRIPTION:
In SonicOS 5.8, the Application Firewall feature of previous SonicOS releases has been significantly enhanced with Application Control functionality. As part of this solution, the set of application relevant signatures have been extracted from the existing set of IPS signatures and placed under the realm of the Application Control feature. This change impacts the way that application control policies and dynamic objects are configured and used.
SonicOS 5.8 introduces a new user interface for application control with the new Firewall | App Control Advanced page. In some TZ models the App Control Advanced page is located under Security Services. This screen provides a simple and direct way of configuring application control rules. In SonicOS 5.8, all of the application configuration which was previously available under Security Services | Intrusion Prevention is now moved to the App Rules page, leaving IPS to handle threats and attacks. This change means that applications have their own user interface now, and you no longer have to configure them under Intrusion Prevention.
The most significant enhancement made in the configuration of application signatures is the addition of a new level configuration called Application. Hitherto, under IPS signatures were grouped under Priority, Categories and Signatures. With Application level, application signatures are grouped based on the name of the application. For eg. the 8 signatures of Google Chat have been grouped under the Application name "Google Chat" (See screenshot below). The advantage of this level of granularity is that administrators can prevent application traffic by configuring the Application rather than configure each signature. Keeping with the example above, to block Google Chat an administrator need only enable prevention of Google Chat, instead of enabling prevention on each of the 8 signatures.
You can enable prevention or detection for a whole category of applications with one click, and can easily locate and do the same for an individual application or individual signature. Once enabled, Category, Application, or Signature is blocked or logged globally.
RESOLUTION:
TIP:Video Tutorial: Click here for the video tutorial of How to block applications using application control advanced.
The article describes the various methods to configure Application Control on the App Control Advanced page.
Enable Application Control
App Control view style
- Application Control signatures can be viewed by Category, Application and Signature..
- View by Category with Category set to All and Application set to All = All Categories will be listed without either Application or Signatures listed.
- View by Application with Category set to All and Application set to All = All Categories with their corresponding Application will be listed without listing Signatures.
- View by Signatures with Category set to All and Application set to All = All Categories with their corresponding Application and Signatures will be listed.
EXAMPLE: By selecting category IM with the following Viewed By settings will get the following.
- Viewed By Category= Category IM is listed without either the applications or signatures for that category listed.
|
 |
- Viewed By Application = Category IM is listed with the corresponding applications for that category and without signatures for that category listed.
|
 |
- Viewed By Signature = Category IM is listed with the corresponding applications and signatures.
|
 |
Category based Application Control
- Login to your SonicWall management page and click on Manage tab on top of the page.
- Navigate to Rules | Advanced Application Control page, on right side enable Enable App Control checkbox under App Control Global Settings.
- Under App Control Advanced Section, select IM from Category drop-down list.
- Click on the configure button to bring up the Edit App Control Category window.
- Select Enable under Block and Log.
- Click OK .
|
 |
Blocking a category while allowing an application within the category.
In this example we configure the application Kakao Talk to be allowed although the parent category IM is set to Block. - On the App Control Advanced Page, select IM from Category drop-down list.
- Select Kakao Talk from the Application drop-down list.
- Setting Viewed By to Application will list only Kakao Talk.
- Click configure button either alongside the Application drop-down or under Configure, to get Edit App Control App window.
- Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
- Click OK .
|
 |
Blocking a signature while allowing the parent application
- In this example we block the category Webmail, allow mail.google.com (Gmail.com) but block embedded chat in Gmail.
- On the App Control Advanced page, select Webmail from the Category drop-down list.
- Select Google Mail (Gmail) from the Application drop-down list.
- Setting Viewed By to Signature will list signatures for Gmail.
- To block the embedded Chat within Gmail, click on the configure button alongside Signature ID 7624(SSL Traffic 2), to bring up the Edit App Control App window.
- Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
- Click OK.
Including / Excluding IP Address Range
- When an object ( EXAMPLE: IM) is selected on each layer of configuring App Control the following options are there to include or exclude IP addresses.
| Category layer | All: This applies to all hosts behind the SonicWall. Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses. |
| Application layer | Use Category Settings: Selecting this option would inherit the settings configured in the parent Category. All: This applies to all hosts behind the SonicWall. Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses. |
| Signature layer | Use App Settings: Selecting this option would inherit the settings configured in the parent Application. All: This applies to all hosts behind the SonicWall. Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses. |
- In the example below, the Category IM has been blocked for all hosts behind the SonicWall except IP address 192.168.168.3.
- In the example below, the Application Gmail (Google Mail) is allowed for all hosts except the IP address, 192.168.168.100.
- In the example below, the Signature SSL Traffic 2 under Application Gmail (Google Mail) is blocked for the IP address, 192.168.168.2.
Including / Excluding Users / User Groups
- Similar to including or excluding IP addresses, inclusion / exclusion of Users or User groups on each layer of App Control can be configured in the following manner.
| Category layer | All: This applies to all users behind the SonicWall. Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user. |
| Application layer | Use Category Settings: Selecting this option would inherit the settings configured in the parent Category. All: This applies to all users behind the SonicWall. Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user. |
| Signature layer | Use App Settings: Selecting this option would inherit the settings configured in the parent Application. All: This applies to all users behind the SonicWall. Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user. |
App Control Logs
When a category, application or a signature is blocked, logs similar to the ones below can be seen under the Investigate tab | Event Logs.To be able to see Application Control logs make sure the following are true:
- The log category Application Control is checked for logging under Manage tab Log Settings | Base Settings page| Categories.
- When configuring a category, application or a signature, make sure the option Log is set to Enable.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
NOTE: Enable App Control per zone by checking the box under Enable App Control Service on each zone.