How to configure Policy-based Application Control
03/26/2020 39 14076
The application signature databases that were previously included with SonicWall Intrusion Prevention Service (IPS) are now part of the Application Control feature. These signature databases are used to protect users from application vulnerabilities as well as worms, Trojans, peer-to-peer transfers, spyware and backdoor exploits. The extensible signature language used in SonicWall’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities.
When configured within the Application Firewall environment, the administrator is allowed far more granular control over the configuration and actions than could previously be applied to IPS signatures
- Login to the SonicWall Management GUI.
- Navigate to Firewall | Match Objects
- Click on Add New Match Object
- Create the following objects.
Application Control policies are configured by creating Application Control List match objects. The following types of Application Control lists are available under Firewall | Match Objects:
Application Category List: This is the top-most layer in Application Control configuration. Multiple Application Categories can be select from the drop-down list.
|Application List: In this layer, multiple applications belonging to multiple categories can be selected. In the following example, Jabber (Gmail), Yahoo and AIM belongs to the Application Category IM; YouTube, Facebook (Video) belongs to Application Category Social Network; Facebook belongs to Application Category Social Networking. |
|Application Signature List: This is the most granular layer of configuring Application Control. Here multiple signatures from multiple applications and categories can be selected. In the following example signatures belonging to DOWNLOAD-APPS, P2P, WEBMAIL.|
After creating the match objects for Application Control, we create the App Rules Policies under Firewall | App Rules.
- Navigate to Firewall | App Rules
- Check the box under Enable App Rules.
- Click on Add New Policy to create similar policies as below.
|In the following policy the match object earlier created - Blocked App Categories - has been assigned with action Reset/Drop. All P2P, Proxy-Access, and Gaming applications would be dropped.||This policy has been assigned the match object containing Gmail, Yahoo, YouTube etc. The action object is a Per Policy Bandwidth Management object created under Firewall | Action Objects. Traffic matching the object - refer Blocked Apps screenshot above - will be throttled.||This is an example of a policy assigned with a match object containing Application Signatures. Traffic matching the signatures - like the embedded chat in gmail.com - would be dropped.|
App Control policies can be made more specific by:
- Applying policies to specific internal IP addresses under the Addresses field
- Excluding internal IP adddresses from a particular policy by adding them under the Exclusion Addresses field.
- Excluding or including users from a particular policy by adding users or user groups object under Included / Excluded Users/Groups. For this to work user authentication needs to be enabled.
- Applying schedules to a policy by adding schedule objects under the Schedule field.
- Selecting a zone under the Zone field.
How to Test:
When hosts behind the SonicWall get blocked or when their action triggers a policy based on the App Control policies, SonicWall will log them in either of the following formats, depending on whether Log using App Control message format is checked or not:
Log message when Blocked Categories policy (Action: Reset/Drop P2P, Proxy Access & Gaming categories) is triggered.
Log message when BWM Apps policy (Action: Per-action BWM YouTube, Facebook, Gtalk (Jabber), AIM appilcations) is triggered.
Log message when Blocked App Signatures policy (Action: Reset/Drop webmail Chat in Gmail, Flashget signatures) is triggered.