Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I configure Application Control Advanced feature in SonicOS Enhanced?

10/14/2021 2,261 People found this article helpful 230,290 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    In SonicOS 5.8, the Application Firewall feature of previous SonicOS releases has been significantly enhanced with Application Control functionality. As part of this solution, the set of application relevant signatures have been extracted from the existing set of IPS signatures and placed under the realm of the Application Control feature. This change impacts the way that application control policies and dynamic objects are configured and used.

    SonicOS 5.8 introduces a new user interface for application control with the new Firewall | App Control Advanced page. In some TZ models the App Control Advanced page is located under Security Services. This screen provides a simple and direct way of configuring application control rules. In SonicOS 5.8, all of the application configuration which was previously available under Security Services | Intrusion Prevention is now moved to the App Rules page, leaving IPS to handle threats and attacks. This change means that applications have their own user interface now, and you no longer have to configure them under Intrusion Prevention.

    The most significant enhancement made in the configuration of application signatures is the addition of a new level configuration called Application. Hitherto, under IPS signatures were grouped under Priority, Categories and Signatures. With Application level, application signatures are grouped based on the name of the application. For eg. the 8 signatures of Google Chat have been grouped under the Application name "Google Chat" (See screenshot below). The advantage of this level of granularity is that administrators can prevent application traffic by configuring the Application rather than configure each signature. Keeping with the example above, to block Google Chat an administrator need only enable prevention of Google Chat, instead of enabling prevention on each of the 8 signatures.

    You can enable prevention or detection for a whole category of applications with one click, and can easily locate and do the same for an individual application or individual signature. Once enabled, Category, Application, or Signature is blocked or logged globally.

    Resolution

    TIP:Video Tutorial: Click here for the video tutorial of How to block applications using application control advanced.

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    Enable Application Control

    • Login to your SonicWall management page and click Policy tab on top of the page.
    • Navigate to Security Services | App Control page, on right side enable Enable App Control checkbox under App Control Status / Settings section.
    • Click Accept .

      Image


    • Application Control signatures can be viewed by Category, Application and Signature.
    • To view the App Control option by Category, Select Category in the Viewed by drop down menu.
    • The same drop down menu can be used to view the App Control options of Application and Signature.

      Image


    Category based Application Control 

    • Login to your SonicWall management page and click on Policy tab on top of the page.
    • Navigate to Security Services | App Control page, on right side enable Enable App Control toggle switch under App Control Global Settings.
    • Under App Control | Signature Section, select IM from Category drop-down list.
    • Click on the configure button to bring up the Edit App Control Category window.
    • Select Enable under Block and Log.
    • Click OK .

      Image



    Blocking an application while allowing the category.

    In this example we configure the application Twitter to be blocked although the parent category Social-Networking is set to Allow.

    • On the App Control Signatures Page, select Social-Networking from Category drop-down list.
    • Select Twitter from the  Application drop-down list.
    • Setting Viewed By to Application will list only Twitter.
    • Click  configure button either alongside the Application drop-down or under Configure, to get  Edit App Control App window.
    • Select Enable under Block. Log could be set to either use Category Settings, Enable or Disable.
    • Click OK .

      Image


    Signature based Application Control


    • Login to your SonicWall management page and click on Policy tab on top of the page.
    • Navigate to Security Services | App Control page, on right side enable Enable App Control toggle switch under App Control Global Settings.
    • Under App Control | Signature Section, select Social-Networking from Category drop-down list.
    • Change the Viewed By option to Signature.
    • Click on the configure button on SSL traffic 1 to bring up the Edit App Control Signature window.
    • Select Enable under Block and Log.
    • Click OK .

      Image


    Including / Excluding IP Address Range

    • When an object  is selected on each layer of configuring App Control the following options are there to include or exclude IP addresses.
    Category layer

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

    Application layer

    Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

    Signature layer

    Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.


    • In the example below, the Category Social-Networking has been blocked for all hosts behind the SonicWall except address object labeled SSO Agent 192,168.1.2

      Image


    Including / Excluding Users / User Groups

    • Similar to including or excluding IP addresses, inclusion / exclusion of Users or User groups on each layer of App Control can be configured in the following manner.
    Category layer

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

    Application layer

    Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

    Signature layer

    Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.



    • In the example below, the Category Social-Networking has been blocked for all users behind the SonicWall except user group labeled Finance

      Image



    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    Enable Application Control

    • Login to your SonicWall management page and click Manage tab on top of the page.
    • Navigate to Rules | Advanced Application Control page, on right side enable Enable App Control checkbox under App Control Global Settings section.
    • Click Accept .

      NOTE: Enable App Control per zone by checking the box under Enable App Control Service on each zone.
      Image

    App Control view style

    Image

    • Application Control signatures can be viewed by Category, Application and Signature..
    • View by Category with Category set to All and Application set to All = All Categories will be listed without either Application or Signatures listed. 
    • View by Application with Category set to All and Application set to All = All Categories with their corresponding Application will be listed without listing Signatures. 
    • View by Signatures with Category set to All and Application set to All = All Categories with their corresponding Application and Signatures will be listed. 

    EXAMPLE: By selecting category IM with the following Viewed By settings will get the following.

    • Viewed By Category= Category IM is listed without either the applications or signatures for that category listed.
    Image


    • Viewed By Application = Category IM is listed with the corresponding applications for that category and without signatures for that category listed.
    Image


    • Viewed By Signature = Category IM is listed with the corresponding applications and signatures.
    Image



    Category based Application Control


    • Login to your SonicWall management page and click on Manage tab on top of the page.
    • Navigate to Rules | Advanced Application Control page, on right side enable Enable App Control checkbox under App Control Global Settings.
    • Under App Control Advanced Section, select IM from Category drop-down list.
    • Click on the configure button to bring up the Edit App Control Category window.
    • Select Enable under Block and Log.
    • Click OK .
    Image


    Blocking a category while allowing an application within the category.

    In this example we configure the application Kakao Talk to be allowed although the parent category IM is set to Block.

    • On the App Control Advanced Page, select IM from Category drop-down list.
    • Select Kakao Talk from the  Application drop-down list.
    • Setting Viewed By to Application will list only Kakao Talk.
    • Click  configure button either alongside the Application drop-down or under Configure, to get  Edit App Control App window.
    • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
    • Click OK .
                                                   Image



    Blocking a signature while allowing the parent application

    • In this example we block the category Webmail, allow mail.google.com (Gmail.com) but block embedded chat in Gmail.
    • On the App Control Advanced page, select Webmail from the Category drop-down list.
    • Select Google Mail (Gmail) from the  Application drop-down list.
    • Setting Viewed By to Signature will list signatures for Gmail.
      Image

    • To block the embedded Chat within Gmail, click on the configure button alongside Signature  ID 7624(SSL Traffic 2), to bring up the  Edit App Control App window.
    • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
    • Click OK.
      Image


    Including / Excluding IP Address Range

    • When an object ( EXAMPLE: IM) is selected on each layer of configuring App Control the following options are there to include or exclude IP addresses.
    Category layer

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

    Application layer

    Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.

    Signature layer

    Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

    All: This applies to all hosts behind the SonicWall.

    Custom and default address objects and groups: Can either use the default objects like LAN Subnets, or create a custom address object for individual IP addresses, range of IP addresses.


    • In the example below, the Category IM has been blocked for all hosts behind the SonicWall except IP address 192.168.168.3.
      Image

    • In the example below, the Application Gmail (Google Mail) is allowed for all hosts except the IP address, 192.168.168.100.
       Image

    • In the example below, the Signature SSL Traffic 2 under Application Gmail (Google Mail) is blocked for the IP address, 192.168.168.2.
      Image


    Including / Excluding Users / User Groups

    • Similar to including or excluding IP addresses, inclusion / exclusion of Users or User groups on each layer of App Control can be configured in the following manner.
    Category layer

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

    Application layer

    Use Category Settings: Selecting this option would inherit the settings configured in the parent Category.

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.

    Signature layer

    Use App Settings: Selecting this option would inherit the settings configured in the parent Application.

    All: This applies to all users behind the SonicWall.

    Custom and default user objects and groups: Can either use the default user objects like Everyone, Trusted Users etc. or create a local user.



    App Control Logs

    When a category, application or a signature is blocked, logs similar to the ones below can be seen under the Investigate tab | Event Logs.To be able to see Application Control logs make sure the following are true:

    1. The log category Application Control is checked for logging under Manage tab Log Settings | Base Settings page| Categories.
    2. When configuring a category, application or a signature, make sure the option Log is set to Enable.
      Image 

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > NSa Series > Application Firewall
    • Firewalls > NSv Series > Application Firewall
    • Firewalls > TZ Series > Application Firewall

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top