Configuring App Rules Policies

To prepare for creating an App Rules policy, see Prerequisites to Configuring App Rules Policies.

To configure an App Rules policy:
1
Navigate to Firewall > App Rules.
2
Below the App Rules Policies table, click Add New Policy. The App Control Policies Settings dialog displays.

3
Enter a descriptive name into the Policy Name field.
4
Select a Policy Type from the drop-down menu. Your selection here will affect available options in the window. For information about available policy types, see App Rules Policy Creation.
5
Select a source and destination Address Group or Address Object from the Address drop-down menus. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types.
6
Select the source or destination service from the Service drop-down menus. Some policy types do not provide a choice of service.
7
For Exclusion Address, optionally select an Address Group or Address Object from the drop-down menu. This address will not be affected by the policy.
8
For Match Object, select a match object from the drop-down menu. The list contains the defined match objects that are applicable to the policy type. When the policy type is HTTP Client, you can optionally select an Excluded Match Object.

The excluded match object provides the ability to differentiate subdomains in the policy. For example, if you wanted to allow news.yahoo.com but block all other yahoo.com sites, you would create match objects for both yahoo.com and news.yahoo.com. You would then create a policy with Match Object yahoo.com and Excluded Match Object news.yahoo.com.

* 
NOTE: The Exclusion Match Object does not take effect when the match object type is set to Custom Object. And Custom Objects cannot be selected as the Exclusion Match Object.
9
For Action, select an action from the drop-down menu. The list contains actions that are applicable to the policy type, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action.
10
For Users/Groups, select from the drop-down menus for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
11
If the policy type is SMTP Client, select from the drop-down menu for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
12
For Schedule, select from the drop-down menu. The menu provides a variety of schedules for the policy to be in effect.
13
If you want the policy to create a log entry when a match is found, select the Enable Logging check box.
14
To record more details in the log, select the Log individual object content check box.
15
If the policy type is IPS Content, select the Log using IPS message format check box to display the category in the log entry as “Intrusion Prevention” rather than “Application Control”, and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
16
If the policy type is App Control Content, select the Log using App Control message format check box to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
17
If the policy type is CFS, select the Log using CFS message format check box to display the category in the log entry as “Network Access”, and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
18
For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
19
For Connection Side, select from the drop-down list. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
20
For Direction, click either Basic or Advanced and select a direction from the drop-down menu:
Basic allows you to select incoming, outgoing, or both.
Advanced allows you to select between zones, such as LAN to WAN.
21
If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone drop-down menu. The policy is applied to this zone.
22
If the policy type is CFS, select an entry from the CFS Allow List drop-down menu. The menu contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will not be affected by the policy.
23
If the policy type is CFS, select an entry from the CFS Forbidden List drop-down menu. The menu contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will be denied access to matching content, instead of having the defined action applied.
24
If the policy type is CFS, select the Enable Safe Search Enforcement check box to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
* 
NOTE: Google Safe Search helps prevent adult content or other potentially offensive content from appearing in search results.
25
If the policy type is CFS, select Enable YouTube for Schools and enter your School ID to enable the YouTube for Schools feature. For more information, see YouTube for Schools and SonicWall Content Filtering Service.
26
Click OK.