Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Using SonicOS 5.8 and App Rules for Granular Control of Access to Facebook

03/26/2020 5 People found this article helpful 196,179 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Using App Rules for Granular Control of Access to Facebook

    Resolution

     

    App Rules for Granular Control of Access to Facebook

    This technote covers all of the configuration activities and concepts needed to accomplish this, including:

    • Licensing Information
    • Enabling of the Global Service and Zone Settings
    • How Application Visualization uses the Signatures
    • Creation of Match Objects using Categories, Applications, and Signatures
    • Creation of App Rules, which use Match Objects, Action Objects and optionally, Schedule Objects
    • Creation of Schedule Objects
    • Logging of Application Control events
    • Miscellaneous Notes
    • A complete list of Facebook Signatures in SonicOS

    Licensing Information

    The Comprehensive Gateway Security Suite (CGSS) is the bundled service that you need for Application Control.  You also receive the Content Filtering Service, Gateway Anti-Virus, Intrusion Prevention Service and Anti-Spyware services with this bundle.  With this combination of features, you can protect against malware and instrusions at the gateway level, even as you are able to control and visualize signatures, applications and signatures.
     
    Once the proper licensing is in place, there are three settings which must be enabled globally:

    1)    App Control must be enforced on the zones (on the Network | Zones screen; by default it is already on for LAN and WAN zones).  This is done by editing each zone’s properties using the Configure buttons on the right.

    Image

    Image


    Enabling of the Global Service and Zone Settings

    2)    The App Rules feature must be enabled (on the Firewall | App Rules screen).  On this page, there is no Accept button, so you must hit the Enter key on your keyboard to submit this change.

    3)    The App Control feature must be enabled (on the Firewall | App Control Advanced screen). 

    Image

    Image


    How Application Visualization uses the Signatures

    The signatures used in Application Intelligence are organized in a hierarchical manner which allows granular control:  Category | Application | Signature. The hierarchy is easy to see on the Firewall | App Control Advanced screen.  Each Signature has an ID number and is a member of an Application.  Each Application is a member of a Category.  The signature ID numbers are  used in both Applicaton Control and Application Visualization.  Below is a screenshot of the Dashboard – Real-Time Monitor screen from the same firewall we will use for the Facebook example.  The data in the top Applicatons pane is shown with traffic type legends if you choose those options.  Below are two screenshots which show you how to do this.

    Image

    Image

    The legends used in the Dashboard (part of the Application Visualization features) include the type of traffic and in most cases, a signature ID.  For example, MS Terminal Services (signature #436), Gmail (signature #3440) and YouTube (signature #5728) are visible below in the Dashboard | Real-Time Monitor screen.  The display also includes general types of traffic which have no signature (General DNS and General HTTP are commonly seen).

    Image 


    Creation of Match Objects using Categories, Applications, and Signatures

    Now we will look at Facebook signatures.  A complete list of them is at the end of this article.  On the Firewall | App Control Advanced screen, scroll down to the middle, and locate the View Style: Category: menu.  Select SOCIAL-NETWORKING.  The screen will then change automatically, and the applications listed will be limited to the ones in this category.

    Image


    Next, the second part of the View Style settings, to the right of the selected category is an Application menu; select Facebook in it.  The screen will change again.  Finally, go further to the right and select Viewed By:  Signature.  The screen again changes to reflect your choices:  Category SOCIAL-NETWORKING; Application Facebook; View By Signature.

    Image

    Image

    These three steps allow you to filter the thousands of signatures to find the ones we need for this task.  This filtered view of the Facebook signatures in SonicOS can be sorted by clicking on the column headings (Signature ID, Name, etc.). 

    You will notice that the signatures have configurations possible for blocking and logging.  By default, all signatures have logging enabled.  We we will not be using the block actions on the signature level in this example.  The granular control we wish to enforce requires us to deploy these signatures inside Application List objects and App Rules.

    Image
     

    Match Objects are used for App Rules of all kinds.  There are basic kinds, for customized rules which apply to certain protocols like email and FTP, and there are others which are used in Content Filtering (CFS).  On the Firewall | Match Objects screen, there is a feature which allows administrators to combine App Control Signatures so that they can be applied in policies. 

    These are called Application List Objects and the button for creating them is below.  Once we create a few of them, you will see that there are actually three types of objects:  Application Lists, Application Signature Lists and Application Category Lists.  We use all three types in this example.

    Image

    The user interface for creating Application List Objects is very flexible.  First we will use the interface that allows us to choose individual applications and signatures.  Notice the (turquoise-highlighted) area where you can choose Application or Category.  Application is chosen and is thus in bold. The default state for this screen has all of the categories for Application Control enabled (see yellow highlight). 

    Notice that the checkboxes for Category, Threat Level and Technology inside the dark blue bar are global controls which can be used to toggle all of the choices below, checking or unchecking all of them.  In our Facebook example, we will begin by unchecking the global Category checkbox.

    Image

    Below are screenshots of unchecking the global Category checkbox and then selecting SOCIAL-NETWORKING.  The screen is dynamic, and instead of having a list of applications for all categories like above, only the applications listed under SOCIAL-NETWORKING are visible in the below screenshot.  I’ve scrolled down to where the Facebook Applications are listed.

    Image

    Image

    Each Application has two control elements in the user interface:  a) an Add button (plus sign) and b) an Expand Category arrow.

    Image

    When you click the add button, it changes to a green checkmark, and the whole application (and its member signatures) is added to the Application List Object being created (see the yellow highlighted area on the right side, where Facebook is under the heading labeled “Application Group”).

    Image

    When you click the arrow for an application, the arrow turns down and the signatures inside the application are listed with checkboxes, so that you can select multiple items to group together for your granular control needs.

    Image

    In our example, we will be using both of these techniques.  First, we will need a Facebook Application List so that we can easily block or allow all Facebook access at certain times of the day.  Below is a screenshot showing that by default, there is a checkbox enabled:  Auto-generate match object name.  It generates rather long names which contain long strings of numerals.
    Image 

    I wanted a simpler name for my general Facebook match object, so I unchecked that and named it “SOCIAL-NETWORKING - Facebook”

    Image

    Once saved, the new Application List object appears in the list:

    Image

    Next, we go back and create another Application List object using the Category part of the User Interface.  This one is more general – two whole categories - it includes all Social Networking and Gaming applications and signatures.  This is a sledgehammer which can be used against hundreds of user activities which get in the way of worker productivity.

    Image

    Next we create an Application List object containing the Facebook signatures needed for read-only access. There are three signatures which control logins to Facebook on HTTPS (named Facebook SSL Login – Facebook SSL Login 3).  There are four signatures named Facebook -- Browsing Activity 1 – Facebook -- Browsing Activity 4 which control the display of regular news feed pages for a Facebook user. 

    The Application List object shown below – named “Facebook SSL Logins + Browsing Activity 1-4 Siglist” – contains only those seven signatures.  This object doesn’t include 40 other Facebook signatures, so any it  doesn’t include common Facebook activities like status updates, uploading photos or videos, posting comments or likes, or sending messages.

    Image

    Now we have three Application List Objects, with which we can create an example of granular control.

    a) SOCIAL-NETWORKING - Facebook Application List
    b) SOCIAL-NETWORKING + GAMING Category List
    c)
    Facebook SSL Logins + Browsing Activity 1-4 Siglist

    Image

    Image 


    Creation of App Rules, which use Match Objects, Action Objects and optionally, Schedule Objects

    With these match objects ready, we now turn to the Firewall | App Rules screen, where we will create app rules that control Facebook access, as well as activities on all Social Networking and Gaming sites.  Our deployment scenario is a company which wants to block any kind of Social Networking and Gaming during business hours.  This will be the first policy we create.  Click on the Add New Policy button on the Firewall | App Rules screen.  In the edit window that appears, you must specify a Policy Name, Policy Type, Match Object and Action Object.  All other parameters are optional.  For this one, we choose the App Control Content type, the Social Networking and Gaming category list as the match object and the Reset/Drop as the action.  Finally, we choose the Work Hours for schedule.

    Image

    Image

    Image

    Image

    The finished rule looks like this:

    Image


    Creation of Schedule Objects

    Now we go to the System | Schedules screen to inspect the definition for the Work Hours schedule object we used above.  It’s defined as Monday through Friday from 0800 to 1700 hours.  On this screen, I create a custom schedule object named Friday 5:00 – 6:30 PM.  Note:  you must click the add button to add your selection of days and hours into the schedule object.  You can have more than one set of days / hours in your object.

    Image

    Image

    Thus, with this on App Rule in place, Facebook (and all other SOCIAL-NETWORKING and GAMING sites) will be unreachble between 8:00 AM and 5:00 PM on weekdays.  The screenshot below shows what that looks like on a computer which sits behind the firewall.  The Reset/Drop action on the rule doesn’t give any clue to the users why their access failed.  There are other features available on SonicOS (the Content Filtering Service) which serve up block messages when users attempt to go to prohibited sites, but the App Rules behave differently.

    Image


    I have also created an App Rule which blocks all Facebook signatures during all non-Work Hours periods, which is a pre-defined schedule object called After Hours.  This general blockage will have exceptions in other more granular app rules which use different schedules and different action objects.

    Image

    Next, we create an App Rule which allows login and read-only access to Facebook during the hours 5:00 – 6:30 PM on Friday. We will use the match object named Facebook SSL Logins + Browsing Activity 1-4 Siglist  and the action we will apply to the rule is BWM – Low.  This means that we are enforcing a low throughput level to the traffic in the Bandwidth Management features of the firewall.  Other traffic will receive higher priority than this traffic to Facebook.  The app rule is named FB Readonly BWM Low - Fri 5:00-6:30 PM and is shown below.

    Image

    This more specific policy applies only to a 90-minute time window on one day a week, and thus it is seen as an exception to the more general rule which blocks all Facebook activities during the After Hours time schedule.  Below are two screenshots showing a user who is accessing https://www.facebook.com and successfully logging in and seeing a news feed.

    Image

    Image

    While reading Facebook content after login is allowed during this Friday evening time period, no form of writing is allowed.  Below are screenshots of both Facebook comments and Facebook messages failing.  Status Updates also fail, but there is no error message so I didn’t provide a screenshot for it.  The good news is that there is a specific log message proving it works.&

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top