AppRules

Firewall > App Rules

You must enable Application Control before you can use it. App Control and App Rules are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control.

You can configure App Control policies from the Dashboard > App Flow Monitor page by selecting one or more applications or categories and then clicking the Create Rule button. A policy is automatically created on the Firewall > App Rules page, and can be edited just like any other policy.

You can configure Application Control global blocking or logging policies for application categories, signatures, or specific applications on the Firewall > App Control Advanced page. Corresponding match objects are created. You can also configure match objects for these application categories, signatures, or specific applications on the Firewall > Match Objects page. The objects can be used in an App Rules policy, no matter how they were created.

You can configure policies in App Rules using the wizard or manually on the Firewall > App Rules page. The wizard provides a safe method of configuration and helps prevent errors that could result in unnecessary blocking of network traffic. Manual configuration offers more flexibility for situations that require custom actions or policies.

The Firewall > App Rules page contains two global settings:

 
Enable App Rules
 
Global Log Redundancy Filter

You must enable App Rules to activate the functionality. App Rules is licensed as part of App Control, which is licensed on www.mysonicwall.com on the Service Management - Associated Products page under GATEWAY SERVICES. You can view the status of your license at the top of the Firewall > App Rules page, as shown below.

To enable App Rules and configure the global settings:

Step 1
To enable App Rules, select the Enable App Rules checkbox.
Step 2
To log all policy matches, leave the Global Log Redundancy Filter field set to zero. To enforce a delay between log entries for matches to the same policy, enter the number of seconds to delay.

Global log redundancy settings apply to all App Rules policies. If set to zero, a log entry is created for each policy match found in passing traffic. Other values specify the minimum number of seconds between log entries for multiple matches to the same policy. For example, a log redundancy setting of 10 will log no more than one message every 10 seconds for each policy match. Log redundancy can also be set on a per-policy basis in the Add/Edit Policy page where each individual policy configuration has its own log redundancy filter setting that can override the global log redundancy filter setting.

Configuring an App Rules Policy

When you have created a match object, and optionally, an action or an email address object, you are ready to create a policy that uses them. For information about configuring these, see the following sections:

 
Firewall > Match Objects
 
Firewall > Action Objects
 
Configuring Application Layer Bandwidth Management
 
Firewall > Email Address Objects

For information about using the App Control Wizard to create a policy, see the “Using the Application Control Wizard” section .

For information about policies and policy types, see “App Rules Policy Creation” .

To configure an App Rules policy, perform the following steps:

Step 1
In the navigation pane on the left side, click Firewall , and then click App Rules .
Step 2
Below the App Rules Policies table, click Add New Policy .
Step 3
In the App Control Policies Settings window, type a descriptive name into the Policy Name field.
Step 4
Select a Policy Type from the drop-down list. Your selection here will affect available options in the window. For information about available policy types, see “App Rules Policy Creation” .
Step 5
Select a source and destination Address Group or Address Object from the Address drop-down lists. Only a single Address field is available for IPS Content , App Control Content , or CFS policy types.
Step 6
Select the source or destination service from the Service drop-down lists. Some policy types do not provide a choice of service.
Step 7
For Exclusion Address , optionally select an Address Group or Address Object from the drop-down list. This address will not be affected by the policy.
Step 8
For Match Object , select a match object from the drop-down list. The list contains the defined match objects that are applicable to the policy type.
Step 9
For Action , select an action from the drop-down list. The list contains actions that are applicable to the policy type, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action .
Step 10
For Users/Groups , select from the drop-down lists for both Included and Excluded . The selected users or group under Excluded will not be affected by the policy.
Step 11
If the policy type is SMTP Client , select from the drop-down lists for MAIL FROM and RCPT TO , for both Included and Excluded . The selected users or group under Excluded will not be affected by the policy.
Step 12
For Schedule , select from the drop-down list. The list provides a variety of schedules for the policy to be in effect.
Step 13
If you want the policy to create a log entry when a match is found, select the Enable Logging checkbox.
Step 14
To record more details in the log, select the Log individual object content checkbox.
Step 15
If the policy type is IPS Content , select the Log using IPS message format checkbox to display the category in the log entry as “Intrusion Prevention” rather than “Application Control”, and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
Step 16
If the policy type is App Control Content , select the Log using App Control message format checkbox to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
Step 17
If the policy type is CFS , select the Log using CFS message format checkbox to display the category in the log entry as “Network Access”, and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
Step 18
For Log Redundancy Filter , you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
Step 19
For Connection Side , select from the drop-down list. The available choices depend on the policy type and can include Client Side , Server Side , or Both , referring to the side where the traffic originates. IPS Content , App Control Content , or CFS policy types do not provide this configuration option.
Step 20
For Direction , click either Basic or Advanced and select a direction from the drop-down list. Basic allows you to select incoming, outgoing, or both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content , App Control Content , or CFS policy types do not provide this configuration option.
Step 21
If the policy type is IPS Content , App Control Content , or CFS , select a zone from the Zone drop-down list. The policy will be applied to this zone.
Step 22
If the policy type is CFS , select an entry from the CFS Allow List drop-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will not be affected by the policy.
Step 23
If the policy type is CFS , select an entry from the CFS Forbidden List drop-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will be denied access to matching content, instead of having the defined action applied.
Step 24
If the policy type is CFS , select the Enable Safe Search Enforcement checkbox to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
Step 25
Click OK .

Using the Application Control Wizard

The Application Control wizard provides safe configuration of App Control policies for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them. For the manual policy creation procedure, see the “Configuring an App Rules Policy” section .

To use the wizard to configure Application Control, perform the following steps:

Step 1
Login to the SonicWALL security appliance.
Step 2
In the SonicWALL banner at the top of the screen, click the Wizards icon. The wizards Welcome screen displays.
Step 3
Select the Application Control Wizard radio button and then click Next .
Step 4
In the Application Control Wizard Introduction screen, click Next .
Step 5
In the Application Control Policy Type screen, click a selection for the policy type, and then click Next .

You can choose among SMTP , incoming POP3 , Web Access , or FTP file transfer. The policy that you create will only apply to the type of traffic that you select. The next screen will vary depending on your choice here.

Step 6
In the Select <your choice> Rules for Application Control screen, select a policy rule from the choices supplied, and then click Next .

Depending on your choice in the previous step, this screen is one of four possible screens:

 
Select SMTP Rules for Application Control
 
Select POP3 Rules for Application Control
 
Select Web Access Rules for Application Control
 
Select FTP Rules for Application Control

 

Step 7
The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set Application Control Object Keywords and Policy Direction screen on which you can select the traffic direction to scan, and the content or keywords to match.
 
All SMTP policy rule types except Specify maximum email size
 
All POP3 policy rule types
 
All Web Access policy rule types except Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified
 
All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command

In the Set Application Control Object Keywords and Policy Direction screen, perform the following steps:

 
In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming , Outgoing , or Both .
 
Do one of the following:
 
Note
If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See Negative Matching .
 
In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add . Repeat until all content is added to the List text box.
 
To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File .
 
Click Next .

If you selected a policy type in the previous step that did not result in the Set Application Control Object Keywords and Policy Direction screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type.

 
In the Direction drop-down list, select the traffic direction to scan.
 
SMTP: In the Set Maximum Email Size screen, in the Maximum Email Size text box, enter the maximum number of bytes for an email message.
 
Web Access: In the Application Control Object Settings screen, the Content text box has a drop-down list with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down list.
 
FTP: In the special-case Set Application Control Object Keywords and Policy Direction screen, you can only select the traffic direction to scan.
 
Click Next .
Step 8
In the Application Control Action Settings screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next .

You will see one or more of the following choices depending on the policy type, as shown below:

All Types

Log Only

All Types

Bypass DPI

SMTP

Blocking Action - block and send custom email reply

SMTP

Blocking Action - block without sending email reply

SMTP

Add Email Banner (append text at the end of email)

POP3

Blocking Action - disable attachment and add custom text

Web Access

Blocking Action - custom block page

Web Access

Blocking Action - redirect to new location

Web Access

Blocking Action - Reset Connection

Web Access

Manage Bandwidth

Step 9
In the second Application Control Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next .

The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box.

Step 10
In the Select Name for Application Control Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next .
Step 11
In the Confirm Policy Settings screen, review the displayed values for the new policy and do one of the following:
 
To create a policy using the displayed configuration values, click Apply .
 
To change one or more of the values, click Back .
 
To exit the wizard without creating the policy, click Cancel .
Step 12
In the Application Control Policy Complete screen, to exit the wizard, click Close .
 
Note
You can configure Application Control policies without using the wizard. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them.