How to allow applications on SonicOSX 7.0?
08/31/2020 0 2681
SonicWall has a rich set of application signatures for various applications that can also be categorized into multiple categories like P2P, social networking etc and risk levels. These signatures can be used to allow only the applications that are approved by the organization to be allowed.
SonicWall has an implicit deny rule which blocks all traffic. To allow a specific application like Teamviewer we would need to add a security rule to appropriately allow it. Security rules consists of three sections, match criterion, action and action profile. This KB gives you the configuration steps for the same.
NOTE: When creating positive app match rule, make sure to allow all related application signatures so that application works without issues. It is recommended to create ANY ANY ANY allow rule from LAN to WAN zone and find out the required application signatures that are needed to run.
We would need to create the following to security policies to allow certain applications.
Before a connection can be made, the end machine would need to perform DNS resolution of the URLs that it needs to connect for this application to work. Since we have an implicit deny rule, DNS traffic needs to be allowed as well.
To create the DNS related Security Policy:
- Navigate to Policy | Rules and Policies | Security policy tab and click on Top at the bottom of the screen. This adds the new Policy at the top of the list. You might need to adjust its priority based on other rules you have.
- Mention a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services and also user, geo-location settings. Select the destination Port/Services as 'DNS(Name Service)'.
- Under App/URL/Custom Match tab leave everything on defaults.
- Select the Default Profile as the Security rule action. Make sure that the Action is set to Allow and the policy is in enable state. Click Add.
NOTE: This policy can also be created using the DNS protocol application signature, but service is used in this example.
To create the allow Application related Security Policy:
TIP: Some of the application signatures need DPI SSL. You can refer to the KB: How to create a Decryption Policy on SonicOSX 7.0? for more details on the decryption rule configuration. Navigate to Objects | Match Objects | Applications and verify the signatures to confirm. The signatures have [Reqs DPI SSL CI] next to it that are dependent on DPI SSL Client inspection.
EXAMPLE: Let us consider that we are trying to allow the Remote Access application Teamviewer.
- Navigate to Policy | Rules and Policies | Security policy tab and click on Bottom at the bottom of the screen. This adds the new Policy at the bottom of the list. You might need to adjust its priority based on other rules you have.
- Mention a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services, and also user, geo-location settings.
- Under App/URL/Custom Match, use the radio button for 'Match Operation' as OR. Also, select the pencil icon to add a new Application Match Group.
Select the allowed the applications using the right arrow and move them to the right. Click Save.
Leave other fields on Any at this tab.
Under the Security rule action dropdown, select the action profile, Default profile which has everything allowed.
- On the Security Policy, make sure that the Action is set to Allow and the policy is in enable state. Click Add.
- Without the above security rules, with a machine that already has Teamviewer installed, it might run into errors while making a connection. If not installed, it will not allow connection to teamviewer.com for download.
- After adding the security rules, the team viewer session asks for Password and can connect just fine.
TIP: For applications that also have websites like youtube.com, facebook.com etc might not load completely or intermittently as they might have several intermediate cdn servers, images signatures being loaded from various other sites which are not part of the mentioned signatures.In those scenarios, it would be best to create an Any, Any, Any allow rule at the bottom of your security policies list and find out those missing signatures. You can use the packet monitor tool and check for the signatures that are needed along with the ones already allowed. You can refer to the KB: How Can I Setup And Utilize The Packet Monitor Feature For Troubleshooting? for more details on Packet monitor tool.
- With SonicOSX 7.0, there is an App column that shows the App ID and if you hover over it, the actual application signature shows up as below.