You must enable Application Control before you can use it. App Control and App Rules are both
enabled with global settings, and App Control must also be enabled on each network zone that you want to control.
You can configure App Control policies from the Dashboard > App Flow Monitor page by
selecting one or more applications or categories and then clicking the Create Rule button. A policy is automatically created on the Firewall > App Rules page, and can be edited just like any other policy.
You can configure Application Control global blocking or logging policies for application
categories, signatures, or specific applications on the Firewall > App Control Advanced page. Corresponding match objects are created. You can also configure match objects for these application categories, signatures, or specific applications on the Firewall > Match Objects page. The objects can be used in an App Rules policy, no matter how they were created.
You can configure policies in App Rules using the wizard or manually on the Firewall > App
Rules page. The wizard provides a safe method of configuration and helps prevent errors that could result in unnecessary blocking of network traffic. Manual configuration offers more flexibility for situations that require custom actions or policies.
The Firewall > App Rules page contains two global settings:
You must enable App Rules to activate the functionality. App Rules is licensed as part of App
Control, which is licensed on
www.mysonicwall.com
on the Service Management - Associated Products page under GATEWAY SERVICES. You can view the status of your license at the top of the Firewall > App Rules page, as shown below.
To enable App Rules and configure the global settings:
|
Step 2
|
To log all policy matches, leave the
Global Log Redundancy Filter
field set to zero. To enforce a delay between log entries for matches to the same policy, enter the number of seconds to delay.
|
Global log redundancy settings apply to all App Rules policies. If set to zero, a log entry is
created for each policy match found in passing traffic. Other values specify the minimum number of seconds between log entries for multiple matches to the same policy. For example, a log redundancy setting of 10 will log no more than one message every 10 seconds for each policy match. Log redundancy can also be set on a per-policy basis in the Add/Edit Policy
page where each individual policy configuration has its own log redundancy filter setting that can override the global log redundancy filter setting.
When you have created a match object, and optionally, an action or an email address object,
you are ready to create a policy that uses them. For information about configuring these, see the following sections:
For information about using the App Control Wizard to create a policy, see the
“Using the Application Control Wizard” section
.
For information about policies and policy types, see
“App Rules Policy Creation”
.
To configure an App Rules policy, perform the following steps:
|
Step 2
|
Below the
App Rules Policies
table, click Add New Policy
.
|
|
Step 3
|
In the
App Control Policies Settings
window, type a descriptive name into the Policy Name
field.
|
|
Step 4
|
Select a
Policy Type
from the drop-down list. Your selection here will affect available options in the window. For information about available policy types, see “App Rules Policy Creation”
.
|
|
Step 7
|
For
Exclusion Address
, optionally select an Address Group or Address Object from the drop-down list. This address will not be affected by the policy.
|
|
Step 8
|
For
Match Object
, select a match object from the drop-down list. The list contains the defined match objects that are applicable to the policy type.
|
|
Step 9
|
For
Action
, select an action from the drop-down list. The list contains actions that are applicable to the policy type, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action
.
|
|
Step 10
|
For
Users/Groups
, select from the drop-down lists for both Included
and Excluded
. The selected users or group under Excluded
will not be affected by the policy.
|
|
Step 11
|
If the policy type is
SMTP Client
, select from the drop-down lists for MAIL FROM
and RCPT
TO
, for both Included
and Excluded
. The selected users or group under Excluded
will not be affected by the policy.
|
|
Step 12
|
For
Schedule
, select from the drop-down list. The list provides a variety of schedules for the policy to be in effect.
|
|
Step 15
|
If the policy type is
IPS Content
, select the Log using IPS message format
checkbox to display the category in the log entry as “Intrusion Prevention” rather than “Application Control”, and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
|
|
Step 16
|
If the policy type is
App Control Content
, select the Log using App Control message format
checkbox to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
|
|
Step 17
|
If the policy type is
CFS
, select the Log using CFS message format
checkbox to display the category in the log entry as “Network Access”, and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
|
|
Step 18
|
For
Log Redundancy Filter
, you can either select Global Settings
to use the global value set on the Firewall > App Rules
page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
|
|
Step 19
|
For
Connection Side
, select from the drop-down list. The available choices depend on the policy type and can include Client Side
, Server Side
, or Both
, referring to the side where the traffic originates. IPS Content
, App Control Content
, or CFS
policy types do not provide this configuration option.
|
|
Step 20
|
For
Direction
, click either Basic
or Advanced
and select a direction from the drop-down list. Basic
allows you to select incoming, outgoing, or both. Advanced
allows you to select between zones, such as LAN to WAN. IPS Content
, App Control Content
, or CFS
policy types do not provide this configuration option.
|
|
Step 21
|
If the policy type is
IPS Content
, App Control Content
, or CFS
, select a zone from the Zone
drop-down list. The policy will be applied to this zone.
|
|
Step 22
|
If the policy type is
CFS
, select an entry from the CFS Allow List
drop-down list. The list contains any defined CFS Allow/Forbidden List
type of match objects, and also provides None
as a selection. The domains in the selected entry will not be affected by the policy.
|
|
Step 23
|
If the policy type is
CFS
, select an entry from the CFS Forbidden List
drop-down list. The list contains any defined CFS Allow/Forbidden List
type of match objects, and also provides None
as a selection. The domains in the selected entry will be denied access to matching content, instead of having the defined action applied.
|
|
Step 24
|
If the policy type is
CFS
, select the Enable Safe Search Enforcement
checkbox to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
|
The Application Control wizard provides safe configuration of App Control policies for many
common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them. For the manual policy creation procedure, see the “Configuring an App Rules Policy” section
.
To use the wizard to configure Application Control, perform the following steps:
|
Step 3
|
Select the
Application Control Wizard
radio button and then click Next
.
|
|
Step 4
|
In the
Application Control Wizard Introduction
screen, click Next
.
|
|
Step 5
|
In the
Application Control Policy Type
screen, click a selection for the policy type, and then click Next
.
|
You can choose among
SMTP
, incoming POP3
, Web Access
, or FTP
file transfer. The policy that you create will only apply to the type of traffic that you select. The next screen will vary depending on your choice here.
|
Step 6
|
In the
Select <your choice> Rules for Application Control
screen, select a policy rule from the choices supplied, and then click Next
.
|
Depending on your choice in the previous step, this screen is one of four possible screens:
In the
Set Application Control Object Keywords and Policy Direction
screen, perform the following steps:
|
|
•
|
In the
Direction
drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming
, Outgoing
, or Both
.
|
|
|
–
|
In the
Content
text box, type or paste a text or hexadecimal representation of the content to match, and then click Add
. Repeat until all content is added to the List
text box.
|
If you selected a policy type in the previous step that did
not
result in the Set Application
Control Object Keywords and Policy Direction
screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type.
|
|
•
|
In the
Direction
drop-down list, select the traffic direction to scan.
|
|
|
•
|
SMTP: In the
Set Maximum Email Size
screen, in the Maximum Email Size
text box, enter the maximum number of bytes for an email message.
|
|
|
•
|
Web Access: In the
Application Control Object Settings
screen, the Content
text box has a drop-down list with a limited number of choices, and no Load From File
button is available. Select a browser from the drop-down list.
|
|
|
•
|
FTP: In the special-case
Set Application Control Object Keywords and Policy Direction
screen, you can only select the traffic direction to scan.
|
|
Step 8
|
In the
Application Control Action Settings
screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next
.
|
You will see one or more of the following choices depending on the policy type, as shown below:
|
Step 9
|
In the second
Application Control Action Settings
screen (if it is displayed), in the Content
text box, type the text or URL that you want to use, and then click Next
.
|
The second
Application Control Action Settings
screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content
text box.
|
Step 10
|
In the
Select Name for Application Control Policy
screen, in the Policy Name
text box, type a descriptive name for the policy, and then click Next
.
|
|
Step 11
|
In the
Confirm Policy Settings
screen, review the displayed values for the new policy and do one of the following:
|
|
Step 12
|
In the
Application Control Policy Complete
screen, to exit the wizard, click Close
.
|