AppControlAdvanced

Firewall > App Control Advanced

The Firewall > App Control Advanced page provides a way to configure global App Control policies using categories, applications, and signatures. Policies configured on this page are independent from App Rules policies, and do not need to be added to an App Rules policy to take effect.

You can configure the following settings on this page:

 
Select a category, an application, or a signature.
 
Select blocking, logging, or both as the action.
 
Specify users, groups, or IP address ranges to include in or exclude from the action.
 
Set a schedule for enforcing the controls.

While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here, and use those match objects in an App Rules policy. See the “Application List Objects” section for more information.

Configuring App Control Global Settings

The Firewall > App Control Advanced page provides the following global settings:

 
Enable App Control
 
Configure App Control Settings
 
Reset App Control Settings & Policies

App Control is a licensed service, and you must also enable it to activate the functionality.

To enable App Control and configure the global settings:

Step 1
To globally enable App Control, select the Enable App Control checkbox.
Step 2
To enable App Control on a network zone, navigate to the Network > Zones page, and click the Configure icon for the desired zone.
Step 3
Select the Enable App Control Service checkbox, then click OK .
 
Note
App Control policies are applied to traffic within a network zone only if you enable the App Control Service for that zone. App Rules policies are independent, and not affected by the App Control setting for network zones.

The Network > Zones page displays a green indicator in the App Control column for any zones that have the App Control service enabled.

Step 4
You can configure a global exclusion list for App Control policies on the Firewall > App Control Advanced page. To configure the exclusion list, click the Configure App Control Settings button. The App Control Exclusion List window opens.
Step 5
To use the IPS exclusion list, which can be configured from the Security Services > Intrusion Prevention page, select the Use IPS Exclusion List radio button.
Step 6
To use an address object for the exclusion list, select the Use Application Control Exclusion Address Object radio button, and then select an address object from the drop-down list.
Step 7
Click OK .
Step 8
To reset App Control settings and policy configuration to the factory default values, click the Reset App Control Settings & Policies button on the Firewall > App Control Advanced page, and then click OK in the confirmation dialog box.

Configuring Application Control by Category

Category based configuration is the most broadly based method of policy configuration on the Firewall > App Control Advanced page. The list of categories is available in the Category drop-down list.

To configure an App Control policy for an application category:

Step 1
Navigate to the Firewall > App Control Advanced page.
Step 2
Under App Control Advanced , select an application category from the Category drop-down list. A Configure button appears to the right of the field as soon as a category is selected.
Step 3
Click the Configure button to open up the App Control Category Settings window for the selected category.
Step 4
To block applications in this category, select Enable in the Block drop-down list.
Step 5
To create a log entry when applications in this category are detected, select Enable in the Log drop-down list.
Step 6
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down list. Select All to apply the policy to all users.
Step 7
To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down list. Select None to apply the policy to all users.
Step 8
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down list. Select All to apply the policy to all IP addresses.
Step 9
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down list. Select None to apply the policy to all IP addresses.
Step 10
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down list:
 
Always on – Enable the policy at all times.
 
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
 
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
 
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
 
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
 
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
Step 11
To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field.
Step 12
Click OK .

Configuring Application Control by Application

Application based configuration is the middle level of policy configuration on the Firewall > App Control Advanced page, between the category based and signature based levels.

This configuration method allows you to create policy rules specific to a single application if you want to enforce the policy settings only on the signatures of this application without affecting other applications in the same category.

To configure an App Control policy for a specific application:

Step 1
Navigate to the Firewall > App Control Advanced page.
Step 2
Under App Control Advanced , first select a category from the Category drop-down list.
Step 3
Next, select an application in this category from the Application drop-down list. A Configure button appears to the right of the field as soon as an application is selected.
Step 4
Click the Configure button to open up the App Control App Settings window for the selected application. The fields at the top of the window are not editable. These fields display the values for the Application Category and Application Name. The application configuration parameters default to the current settings of the category to which the application belongs. To retain this connection to the category settings for one or more fields, leave this selection in place for those fields.
Step 5
To block this application, select Enable in the Block drop-down list.
Step 6
To create a log entry when this application is detected, select Enable in the Log drop-down list.
Step 7
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down list. Select All to apply the policy to all users.
Step 8
To exclude a specific user or group of users from the selected block or log actions, select a user group or user from the Excluded Users/Groups drop-down list. Select None to apply the policy to all users.
Step 9
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down list. Select All to apply the policy to all IP addresses.
Step 10
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down list. Select None to apply the policy to all IP addresses.
Step 11
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down list:
 
Always on – Enable the policy at all times.
 
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
 
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
 
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
 
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
 
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
Step 12
To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field.
Step 13
To see detailed information about the application, click here in the Note at the bottom of the window.
Step 14
Click OK .

Configuring Application Control by Signature

Signature based configuration is the lowest, most specific, level of policy configuration on the Firewall > App Control Advanced page.

Setting a policy based on a specific signature allows you to configure policy settings for the individual signature without influence on other signatures of the same application.

To configure an App Control policy for a specific signature:

Step 1
Navigate to the Firewall > App Control Advanced page.
Step 2
Under App Control Advanced , first select a category from the Category drop-down list.
Step 3
Next, select an application in this category from the Application drop-down list.
Step 4
To display the specific signatures for this application, select Signature in the Viewed by drop-down list. The Freestyle gaming application has two signatures.
Step 5
Click the Configure button in the row for the signature you want to work with. The App Control Signature Settings window opens. The fields at the top of the window are not editable. These fields display the values for the Signature Category, Signature Name, Signature ID, Priority, and Direction of the traffic in which this signature can be detected.

The default policy settings for the signature are set to the current settings for the application to which the signature belongs. To retain this connection to the application settings for one or more fields, leave this selection in place for those fields.

Step 6
To block this signature, select Enable in the Block drop-down list.
Step 7
To create a log entry when this signature is detected, select Enable in the Log drop-down list.
Step 8
To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down list. Select All to apply the policy to all users.
Step 9
To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down list. Select None to apply the policy to all users.
Step 10
To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down list. Select All to apply the policy to all IP addresses.
Step 11
To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down list. Select None to apply the policy to all IP addresses.
Step 12
To enable this policy during specific days of the week and hours of the day, select one of the following schedules from the Schedule drop-down list:
 
Always on – Enable the policy at all times.
 
Work Hours – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
M-T-W-T-F 08:00 to 17:00 – Enable the policy Monday through Friday, 8:00 AM to 5:00 PM.
 
After Hours – Enable the policy Monday through Friday, 5:00 PM to 8:00 AM.
 
M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM.
 
M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight.
 
SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day).
 
Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
Step 13
To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field.
Step 14
To see detailed information about the signature, click here in the Note at the bottom of the window.
Step 15
Click OK .