App Control Overview

App Control utilizes SonicOS Deep Packet Inspection to scan application layer network traffic as it passes through the gateway and locate content that matches configured applications. When a match is found, App Control does the configured action.

App Control allows you to set policy rules for application signatures. As a set of application-specific policies, App Control gives you granular control over network traffic on the level of users, email users, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to block, log, or manage bandwidth consumption of Web based applications, Web browsing, file transfer, email, and email attachments.

There are two ways to create App Control policies using SonicWALL GMS. You can configure App Control policies on the Firewall > App Rules page or on Firewall > App Control Advanced.

•

Firewall > App Rules – The App Rules page provides a way to create a targeted App Control policy using match objects, action objects, or email address objects. These objects allow you to be very specific about what to look for in the traffic and provide a number of ways to control it, including bandwidth management and custom actions. App Rules policies can define the type of applications to scan, the traffic direction, the content or keywords to match, the user or domain to match, and the action to complete. For ease of use, you can create App Rules policies for any of the categories, applications, or signatures that are also available on the Firewall > App Control Advanced page.

•

Firewall > App Control Advanced – The Advanced page provides a simple and direct way of configuring global App Control policies. An Firewall > App Control Advanced policy defines whether to block or log an application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement. You can quickly enable blocking or logging for a whole category of applications, or can just as easily locate and do the same for an individual application or individual signature. After enabled, the category, application, or signature is blocked or logged globally without the need to create a policy on the App Rules page.

App Control is licensed together in a bundle with other security services, including SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).

You must enable App Control before you can use it. Firewall > App Rules and Firewall > App Control Advanced are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control.

SonicWALL GMS supports App Control on SonicWALL firewall appliances that are running SonicOS 5.9 firmware or higher. The units must be licensed for Gateway Anti-Virus.

App Control is supported for Firewalls at the group level and unit level in SonicWALL GMS. When a unit is selected that is running a version of SonicOS lower than 5.9, the App Control menu group is not visible in the middle panel. However, when the group level is selected, the App Control menu group is available and you can configure objects and policies, even if the group does not yet contain a unit running 5.9 or higher. This allows you to prepare the policy configuration prior to bringing a unit with 5.9 under GMS management.

Inheritance is supported for App Control policies and configurations. Inheritance in SonicWALL GMS allows a node’s settings to be inherited to and from unit, group and parent nodes. For more information about inheritance, see Configuring Inheritance Filters .

On SonicWALL TZ 100 and 200 series appliances, the Security Services > Application Control screen in the SonicOS interface corresponds to the Firewall > App Control Advanced screen in SonicWALL GMS. TZ 100 and 200 boxes do not support App Rules policies. This means that the App Rules, Match Objects, Action Objects, and Email Address Objects screens do not appear for these models.

For related information and use case configurations, see Use Cases .