- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Using Application Control feature to Block / Allow different IM applications for different use
10/14/2021 
152 People found this article helpful
65,036 Views
Description
This is a scenario based article of the SonicWall App Control Advanced feature. In this scenario we describe how to block the App Control Advanced Category - IM for all users except one user group and to allow Yahoo! Messenger, Skye, Trillian and Windows Live Messenger for selected users.
The following application needs to be blocked / allowed for the following users:
| Application | Blocked | Allowed |
| IM (Category) | All | Managers |
| Yahoo Messenger/Apple I chat | All | Accounts (and Managers) |
| Skye | All | Marketing (and Managers) |
| Trillian | All | Accounts (and Managers) |
| Windows Live Messenger | None | All |
Managers would be allowed all IM applications. All IM applications other than the above would be blocked for the rest.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Create User Groups
- Navigate to Device | Users | Local Users & Groups.
- Click Local Groups tab.
- Create the following user groups.
- Managers
- Accounts
- Marketing
Configure Authentication
- In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Policy | Rules and Policies | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
Configure App Control Advanced - IM Category
- Navigate to Policy | Security Services | App Control.
- Toggle the option Enable App Control.
- Click on Signatures tab.
- Under viewed by drop down select category.
- Under category drop down select IM.
- Click configure button to bring up the Edit App Control Category window.
- Select Enable under Block.
- Select Enable under Log.
- Select All under Included Users/Groups.
- Select the user group Managers under Excluded Users/Groups.
- Click OK.
Configure Application - Yahoo! Messenger/Apple iChat
- On the same page, with View Style: Category selected as IM, select Yahoo! Messenger/Apple ichat under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Skype
- Select Skype under application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Marketing.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Trillian
- Select Trillian under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Windows Live Messenger
- Select Windows Live Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select All.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK.This configuration would disable blocking for all users.
Summary
By configuring the above we accomplish the following
- User Group Managers : All IM applications.
- User Group Accounts: Yahoo! Messenger/Apple iChat & Trillian.
- User Group Marketing: Skype.
- Windows Live Messenger can be accessed by all users.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Create User Groups
- Login to the SonicWall management interface.
- Navigate to Manage at the top of the page.
- Navigate to the Users | Local users & Groups page.
- Select the Local Groups tab.
- Create the following user groups.
- Managers
- Accounts
- Marketing
Configure Authentication
- In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Policies | Rules | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
Configure App Control Advanced - IM Category
- Navigate to Policies | Rules | Advanced Application Control page.
- Check the box under Enable App Control and click on Accept at the top of the page.
- Under View Style: Category, select IM .
- Click configure button to bring up the Edit App Control Category window.
- Select Enable under Block.
- Select Enable under Log.
- Select All under Included Users/Groups.
- Select the user group Managers under Excluded Users/Groups.
- Click OK .
- With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.
Configure Application - Yahoo! Messenger
- On the same page, with View Style: Category selected as IM, select Yahoo! Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Skype
- Select Skype under application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Marketing.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Trillian
- Select Trillian under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Windows Live Messenger
- Select Windows Live Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select All.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK.This configuration would disable blocking for all users.
Summary
By configuring the above we accomplish the following
- User Group Managers : All IM applications.
- User Group Accounts: Yahoo! Messenger & Trillian.
- User Group Marketing: Skype.
- Windows Live Messenger can be accessed by all users.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Create User Groups
- Login to the SonicWall management interface.
- Navigate to the Users | Local Groups page.
- Create the following user groups
- Managers
- Accounts
- Marketing
Configure Authentication
- In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Firewall | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
Configure App Control Advanced - IM Category
- Navigate to Firewall | App Control Advanced page. (In Gen5 TZ devices this page would be under Security Services | App Control Advanced).
- Check the box under Enable App Control and click Accept at the top of the page.
- Under View Style: Category, select IM .
- Click configure button to bring up the Edit App Control Category window.
- Select Enable under Block.
- Select Enable under Log.
- Select All under Included Users/Groups.
- Select the user group Managers under Excluded Users/Groups.
- Click OK.
- With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.
Configure Application - Yahoo! Messenger
- On the same page, with View Style: Category selected as IM, select Yahoo! Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK.. This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Skype
- Select Skype under application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Marketing.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Trillian
- Select Trillian under Application.
- Click on the configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Windows Live Messenger
- Select Windows Live Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select All.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for all users.
Summary
By configuring the above we accomplish the following
- User Group Managers : All IM applications.
- User Group Accounts: Yahoo! Messenger & Trillian.
- User Group Marketing: Skype.
- Windows Live Messenger can be accessed by all users.
Related Articles
- All associated wildcard FQDN IP addresses do not display in the web browser
- How to Re-Install The Junk Store
- SonicWall NSv Series FAQ
Categories
- Firewalls > TZ Series > Application Firewall
- Firewalls > SonicWall SuperMassive 9000 Series > Application Firewall
- Firewalls > NSa Series > Application Firewall
- Firewalls > NSv Series > Application Firewall
YES
NO