Using Application Control feature to Block / Allow different IM applications for different use
03/26/2020 
110 
30850
DESCRIPTION:
This is a scenario based article of the SonicWall App Control Advanced feature. In this scenario we describe how to block the App Control Advanced Category - IM for all users except one user group and to allow Yahoo! Messenger, Skype, Trillian and Windows Live Messenger for selected users.
The following application needs to be blocked / allowed for the following users:
| Application | Blocked | Allowed |
| IM (Category) | All | Managers |
| Yahoo Messenger | All | Accounts (and Managers) |
| Skype | All | Marketing (and Managers) |
| Trillian | All | Accounts (and Managers) |
| Windows Live Messenger | None | All |
Managers would be allowed all IM applications. All IM applications other than the above would be blocked for the rest.
RESOLUTION:
Create User Groups
- Login to the SonicWall management interface.
- Navigate to Manage at the top of the page.
- Navigate to the Users | Local users & Groups page.
- Select the Local Groups tab.
- Create the following user groups.
- Managers
- Accounts
- Marketing
Configure Authentication
- In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Policies | Rules | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
Configure App Control Advanced - IM Category
- Navigate to Policies | Rules | Advanced Application Control page.
- Check the box under Enable App Control and click on Accept at the top of the page.
- Under View Stye: Category, select IM .
- Click configure button to bring up the Edit App Control Category window.
- Select Enable under Block.
- Select Enable under Log.
- Select All under Included Users/Groups.
- Select the user group Managers under Excluded Users/Groups.
- Click OK .
- With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.
Configure Application - Yahoo! Messenger
- On the same page, with View Stye: Category selected as IM, select Yahoo! Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Skype
- Select Skype under application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Marketing.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Trillian
- Select Trillian under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Windows Live Messenger
- Select Windows Live Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select All.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK.This configuration would disable blocking for all users.
Summary
By configuring the above we accomplish the following
- User Group Managers : All IM applications.
- User Group Accounts: Yahoo! Messenger & Trillian.
- User Group Marketing: Skype.
- Windows Live Messenger can be accessed by all users.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Create User Groups
- Login to the SonicWall management interface.
- Navigate to the Users | Local Groups page.
- Create the following user groups
- Managers
- Accounts
- Marketing
Configure Authentication
- In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Firewall | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
Configure App Control Advanced - IM Category
- Navigate to Firewall | App Control Advanced page. (In Gen5 TZ devices this page would be under Security Services | App Control Advanced).
- Check the box under Enable App Control and click Accept at the top of the page.
- Under View Stye: Category, select IM .
- Click configure button to bring up the Edit App Control Category window.
- Select Enable under Block.
- Select Enable under Log.
- Select All under Included Users/Groups.
- Select the user group Managers under Excluded Users/Groups.
- Click OK.
- With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.
Configure Application - Yahoo! Messenger
- On the same page, with View Stye: Category selected as IM, select Yahoo! Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
- Click OK.. This configuration would disable blocking for the group Accounts, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Skype
- Select Skype under application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Marketing.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Trillian
- Select Trillian under Application.
- Click on the configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select the group Accounts.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicity enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
Configure Application - Windows Live Messenger
- Select Windows Live Messenger under Application.
- Click configure button to open the Edit Control App window.
- Select Disable under Block.
- Leave the Log field to inherit what was selected under the parent category IM (Enabled).
- Under Included Users/Groups, select All.
- Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
- Click OK .This configuration would disable blocking for all users.
Summary
By configuring the above we accomplish the following
- User Group Managers : All IM applications.
- User Group Accounts: Yahoo! Messenger & Trillian.
- User Group Marketing: Skype.
- Windows Live Messenger can be accessed by all users.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
