AppRules
You must enable Application Control before you can use it. App Control and App Rules are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control.
You can configure App Control policies from the Dashboard > App Flow Monitor page by selecting one or more applications or categories and then clicking the Create Rule button. A policy is automatically created on the Firewall > App Rules page, and can be edited just like any other policy.
You can configure Application Control global blocking or logging policies for application categories, signatures, or specific applications on the Firewall > App Control Advanced page. Corresponding match objects are created. You can also configure match objects for these application categories, signatures, or specific applications on the Firewall > Match Objects page. The objects can be used in an App Rules policy, no matter how they were created.
You can configure policies in App Rules using the wizard or manually on the Firewall > App Rules page. The wizard provides a safe method of configuration and helps prevent errors that could result in unnecessary blocking of network traffic. Manual configuration offers more flexibility for situations that require custom actions or policies.
The Firewall > App Rules page contains two global settings:
Enable App Rules
Global Log Redundancy Filter
You must enable App Rules to activate the functionality. App Rules is licensed as part of App Control, which is licensed on www.mysonicwall.com on the Service Management - Associated Products page under GATEWAY SERVICES. You can view the status of your license at the top of the Firewall > App Rules page, as shown below.
To enable App Rules and configure the global settings:
To enable App Rules, select the Enable App Rules checkbox.
To log all policy matches, leave the Global Log Redundancy Filter field set to zero. To enforce a delay between log entries for matches to the same policy, enter the number of seconds to delay.
Global log redundancy settings apply to all App Rules policies. If set to zero, a log entry is created for each policy match found in passing traffic. Other values specify the minimum number of seconds between log entries for multiple matches to the same policy. For example, a log redundancy setting of 10 will log no more than one message every 10 seconds for each policy match. Log redundancy can also be set on a per-policy basis in the Add/Edit Policy page where each individual policy configuration has its own log redundancy filter setting that can override the global log redundancy filter setting.
Configuring an App Rules Policy
When you have created a match object, and optionally, an action or an email address object, you are ready to create a policy that uses them. For information about configuring these, see the following sections:
For information about using the App Control Wizard to create a policy, see the Configuration Procedures on MySonicWALL.
For information about policies and policy types, see App Rules Policy Creation .
To configure an App Rules policy, perform the following steps:
In the navigation pane on the left side, click Firewall, and then click App Rules.
Below the App Rules Policies table, click Add New Policy.
In the App Control Policies Settings window, type a descriptive name into the Policy Name field.
Select a Policy Type from the drop-down list. Your selection here will affect available options in the window. For information about available policy types, see App Rules Policy Creation .
Select a source and destination Address Group or Address Object from the Address drop-down lists. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types.
Select the source or destination service from the Service drop-down lists. Some policy types do not provide a choice of service.
For Exclusion Address, optionally select an Address Group or Address Object from the drop-down list. This address will not be affected by the policy.
For Match Object, select a match object from the drop-down list. The list contains the defined match objects that are applicable to the policy type.
When configuring an App Rule of policy type HTTP Client, you can optionally specify an Excluded Match Object. For example, if the Included Match Object was for sonicwall.com and the Excluded Match Object was for sales.sonicwall.com, the App Rule would apply to all of sonicwall.com except for sales.sonicwall.com.
Note The Excluded Match Object does not take affect when the Included Match Object is set to a Custom Object.
For Action, select an action from the drop-down list. The list contains actions that are applicable to the policy type, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action.
For Users/Groups, select from the drop-down lists for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
If the policy type is SMTP Client, select from the drop-down lists for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy.
For Schedule, select from the drop-down list. The list provides a variety of schedules for the policy to be in effect.
If you want the policy to create a log entry when a match is found, select the Enable Logging checkbox.
To record more details in the log, select the Log individual object content checkbox.
If the policy type is IPS Content, select the Log using IPS message format checkbox to display the category in the log entry as “Intrusion Prevention” rather than “Application Control”, and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
If the policy type is App Control Content, select the Log using App Control message format checkbox to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
If the policy type is CFS, select the Log using CFS message format checkbox to display the category in the log entry as “Network Access”, and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
For Connection Side, select from the drop-down list. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
For Direction, click either Basic or Advanced and select a direction from the drop-down list. Basic allows you to select incoming, outgoing, or both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone drop-down list. The policy will be applied to this zone.
If the policy type is CFS, select an entry from the CFS Allow List drop-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will not be affected by the policy.
If the policy type is CFS, select an entry from the CFS Forbidden List drop-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry will be denied access to matching content, instead of having the defined action applied.
If the policy type is CFS, select the Enable Safe Search Enforcement checkbox to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
If the policy type is CFS, select Enable YouTube for Schools and enter your School ID to enable the YouTube for Schools feature. For more information, see YouTube for Schools and SonicWALL Content Filtering Service.
Click OK.
Using the Application Control Wizard
The Application Control wizard provides safe configuration of App Control policies for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them. For the manual policy creation procedure, see the Configuring an App Rules Policy.
To use the wizard to configure Application Control, perform the following steps:
Login to the SonicWALL security appliance.
In the SonicWALL banner at the top of the screen, click the Wizards icon. The wizards Welcome screen displays.
Select the Application Control Wizard radio button and then click Next.
In the Application Control Wizard Introduction screen, click Next.
In the Application Control Policy Type screen, click a selection for the policy type, and then click Next.
You can choose among SMTP, incoming POP3, Web Access, or FTP file transfer. The policy that you create will only apply to the type of traffic that you select. The next screen will vary depending on your choice here.
In the Select <your choice> Rules for Application Control screen, select a policy rule from the choices supplied, and then click Next.
Depending on your choice in the previous step, this screen is one of four possible screens:
Select SMTP Rules for Application Control
Select POP3 Rules for Application Control
Select Web Access Rules for Application Control
Select FTP Rules for Application Control
The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set Application Control Object Keywords and Policy Direction screen on which you can select the traffic direction to scan, and the content or keywords to match.
All SMTP policy rule types except Specify maximum email size
All POP3 policy rule types
All Web Access policy rule types except Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified
All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command
In the Set Application Control Object Keywords and Policy Direction screen, perform the following steps:
In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming, Outgoing, or Both.
Do one of the following:
Note If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See Negative Matching .
In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box.
To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File.
Click Next.
If you selected a policy type in the previous step that did not result in the Set Application Control Object Keywords and Policy Direction screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type.
In the Direction drop-down list, select the traffic direction to scan.
SMTP: In the Set Maximum Email Size screen, in the Maximum Email Size text box, enter the maximum number of bytes for an email message.
Web Access: In the Application Control Object Settings screen, the Content text box has a drop-down list with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down list.
FTP: In the special-case Set Application Control Object Keywords and Policy Direction screen, you can only select the traffic direction to scan.
Click Next.
In the Application Control Action Settings screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next.
You will see one or more of the following choices depending on the policy type, as shown below:
|
In the second Application Control Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next.
The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box.
In the Select Name for Application Control Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next.
In the Confirm Policy Settings screen, review the displayed values for the new policy and do one of the following:
To create a policy using the displayed configuration values, click Apply.
To change one or more of the values, click Back.
To exit the wizard without creating the policy, click Cancel.
In the Application Control Policy Complete screen, to exit the wizard, click Close.
Note You can configure Application Control policies without using the wizard. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them.