App_Control

Application Control

This chapter describes how to configure and manage the Application Control feature in  SonicOS. This chapter contains the following sections:

Application Control Overview

This section provides an introduction to the SonicOS Application Control feature. This section contains the following subsections:

What is Application Control?

Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. Beginning in SonicOS 5.8.1, you can also create certain types of App Control policies on the fly directly from the Dashboard > App Flow Monitor page.

As a set of application-specific policies, Application Control gives you granular control over network traffic on the level of users, email addresses, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to regulate Web browsing, file transfer, email, and email attachments.

In SonicOS 5.8 and higher, the ability to control application layer traffic in SonicOS is significantly enhanced with the ability to view real-time application traffic flows, and new ways to access the application signature database and to create application layer rules. SonicOS 5.8 integrates application control with standard network control features for more powerful control over all network traffic.

Beginning in SonicOS 5.9, you can use regular expressions to match patterns in network traffic. Specifically, App Control policies can utilize reassembly-free regular expression matching. This means that no buffering of the input content is required, and patterns are matched across packet boundaries.

About App Control Policies

In SonicOS 5.8.1, there are three ways to create App Control policies and control applications in your network:

About Application Control Capabilities

Application Control’s data leakage prevention component provides the ability to scan files and documents for content and keywords. Using Application Control, you can restrict transfer of certain file names, file types, email attachments, attachment types, email with certain subjects, and email or attachments with certain keywords or byte patterns. You can deny internal or external network access based on various criteria. You can use Packet Monitor to take a deeper look at application traffic, and can select among various bandwidth management settings to reduce network bandwidth usage by an application.

Based on SonicWALL’s Reassembly Free Deep Packet Inspection technology, Application Control also features intelligent prevention functionality which allows you to create custom, policy-based actions. Examples of custom actions include the following:

While Application Control primarily provides application level access control, application layer bandwidth management and data leakage prevention, it also includes the ability to create custom application or protocol match signatures. You can create a custom policy with App Rules that matches any protocol you wish, by matching a unique piece of the protocol. See Custom Signature.

Application Control provides excellent functionality for preventing the accidental transfer of proprietary documents. For example, when using the automatic address completion feature of Outlook Exchange, it is a common occurrence for a popular name to complete to the wrong address. See the following figure for an example.

OutlookExchange.jpg

 

Benefits of Application Control

The Application Control functionality provides the following benefits:

Application Control functionality can be compared to three main categories of products:

Standalone proxy appliances are typically designed to provide granular access control for a specific protocol. SonicWALL Application Control provides granular, application level access control across multiple protocols, including HTTP, FTP, SMTP, and POP3. Because Application Control runs on your SonicWALL firewall, you can use it to control both inbound and outbound traffic, unlike a dedicated proxy appliance that is typically deployed in only one direction. Application Control provides better performance and scalability than a dedicated proxy appliance because it is based on SonicWALL’s proprietary Deep Packet Inspection technology.

Today’s integrated application proxies do not provide granular, application level access control, application layer bandwidth management, and digital rights management functionality. As with dedicated proxy appliances, SonicWALL Application Control provides much higher performance and far greater scalability than integrated application proxy solutions.

While some standalone IPS appliances provide protocol decoding support, none of these products supports granular, application level access control, application layer bandwidth management, and digital rights management functionality.

In comparing Application Control to SonicWALL Email Security, there are benefits to using either. Email Security only works with SMTP, but it has a very rich policy space. Application Control works with SMTP, POP3, HTTP, FTP and other protocols, is integrated into SonicOS on the firewall, and has higher performance than Email Security. However, Application Control does not offer all the policy options for SMTP that are provided by Email Security.

How Does Application Control Work?

Application Control utilizes SonicOS Deep Packet Inspection to scan application layer network traffic as it passes through the gateway and locate content that matches configured applications. When a match is found, these features perform the configured action. When you configure App Control policies, you create global rules that define whether to block or log the application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement. Additionally, you can create App Rules policies that define the type of applications to scan, the direction, the content, keywords, or regular expression to match, optionally the user or domain to match, and the action to perform.

The following sections describe the main components of Application Control:

Actions Using Bandwidth Management

Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types. For details about policy types, see the App Rules Policy Creation  .

If the Bandwidth Management Type on the Firewall Settings > BWM page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available when adding a policy from the Firewall > App Rules page. There is also a customizable Bandwidth Management type action, available when adding a new action from the Firewall > Action Objects screen.

Bandwidth management can also be configured from the App Flow Monitor page by selecting a service type application or a signature type application and then clicking the Create Rule button. The Bandwidth Management options available there depend on the enabled priority levels in the Global Priority Queue table on the Firewall Settings > BWM page. The priority levels enabled by default are High, Medium, and Low.

All application bandwidth management is tied in with global bandwidth management, which is configured on the Firewall Settings > BWM page. Two types of bandwidth management are available: WAN and Global. When the type is set to WAN, bandwidth management is allowed only on interfaces in the WAN zone. With a type of Global, interfaces in all zones can be configured with bandwidth management. All App Control screens that offer an option for bandwidth management provide a link to the Firewall Settings > BWM page so that you can easily configure global bandwidth management settings for the type and the guaranteed and maximum percentages allowed for each priority level.

Figure 56:14   Firewall Settings > BWM Page

FirewallSettings_BWM_main.png

 

It is a best practice to configure Global Bandwidth Management settings before configuring App Control policies that use BWM. The global bandwidth management feature is described in detail in the Global Bandwidth Management Feature Module, available on MySonicWALL and www.sonicwall.com.

Changing the Bandwidth Management Type on the Firewall Settings > BWM page between WAN and Global causes BWM to be disabled in all Firewall Access Rules, while default BWM action objects in App Control policies will convert accordingly to correspond to the new bandwidth management type.

When you change the Bandwidth Management Type from Global to WAN, the default BWM actions that are in use in any App Rules policies will be automatically converted to WAN BWM Medium, no matter what level they were set to before the change.

When you change the Type from WAN to Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous action priority levels when you switch the Type back and forth. You can view the conversions on the Firewall > App Rules page.

Custom Bandwidth Management actions behave differently than the default BWM actions. Custom BWM actions are configured by adding a new action object from the Firewall > Action Objects page and selecting the Bandwidth Management action type. Custom Bandwidth Management actions and policies using them retain their priority level setting when the Bandwidth Management Type is changed from Global to WAN, and from WAN to Global.

For example, if the Bandwidth Management Type is set to WAN, and you set the priority level in your custom BWM action object to 5 (which happens to be the priority level for BWM Global-Medium Low). You also set custom values for the Guaranteed Bandwidth and Maximum Bandwidth in the Add/Edit Action Object window. You would continue to see a priority of 5 for your custom BWM action after a change from Type WAN to Global or back again. The values you set for Guaranteed Bandwidth and Maximum Bandwidth are converted in the action object to the guaranteed and maximum values set in the Global Priority Queue table for the selected priority level. When the Type changes back to WAN, the guaranteed and maximum settings are returned to their custom settings in the action object. The firewall stores your previous guaranteed and maximum values if you switch the Bandwidth Management Type back and forth. Figure 56:15 shows a policy that has a custom BWM action, while the global Bandwidth Management Type is set to WAN.

Figure 56:15   Custom BWM Action in Policy with BWM Type of WAN

BWM_customAction_in_policy_WAN.png

 

Figure 56:16 shows the same policy after the global Bandwidth Management Type is set to Global. Only the Priority appears in the tooltip, because no values are set in the Global Priority Queue for guaranteed or maximum bandwidth for level 5.

Figure 56:16   Custom BWM Action in Policy with BWM Type of Global

BWM_customAction_in_policy_Global.png

 

When the Bandwidth Management Type is set to Global as in Figure 56:17, the Add/Edit Action Object screen provides the Bandwidth Priority option, but uses the values that are specified in the Priority table on the Firewall Settings > BWM page for Guaranteed Bandwidth and Maximum Bandwidth. The Per Action or Per Policy Bandwidth Aggregation Method options are not available for Action Objects when Bandwidth Management Type is set to Global.

Figure 56:17   Bandwidth Management Type Global on Firewall Settings > BWM

BWM_priority_FWsettings.png

 

Figure 56:18 shows the Bandwidth Priority selections in the Add/Edit Action Objects screen when the global Bandwidth Management Type is set to Global on the Firewall Settings > BWM page.

Figure 56:18   Add/Edit Action Objects Page with BWM Type Global

BWM_in_ActionObject.png

 

Note         All priorities will be displayed (Realtime - Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For a BWM Type of WAN, the default priority is level 7 (Low).

When the Bandwidth Management Type is set to WAN as in Figure 56:19, the Add/Edit Action Object screen provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.

Figure 56:19    Bandwidth Management Type WAN on Firewall Settings > BWM

BWM_type_FWsettings.png

 

Figure 56:20 shows the Bandwidth Priority selections in the Add/Edit Action Objects screen when the global Bandwidth Management Type is set to WAN on the Firewall Settings > BWM page.

In this case, when configuring a Bandwidth Management action, you can select either Per Action or Per Policy, as shown in Figure 56:20. Per Policy means that when you create a limit of 10 Mbps in an Action Object, and three different policies use the Action Object, then each policy can consume up to 10 Mbps of bandwidth. Per Action means that the three policies combined can only use 10 Mbps.

Figure 56:20   Per Action or Per Policy Bandwidth Management

BWM_action_PerAction.png

 

When using Per Action, multiple policies are subject to a single aggregate bandwidth management setting when they share the same action. For example, consider the following two App Rules policies:

If these two policies share the same bandwidth management Action (500 Kbit/sec max bandwidth):

The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action. In releases previous to SonicOS 5.8, all Bandwidth Management actions were implicitly set to Per Policy, but now you have a choice.

Application layer bandwidth management configuration is handled in the same way as the Ethernet bandwidth management configuration associated with Firewall > Access Rules. Both are tied in with the global bandwidth management settings. However, with Application Control you can specify all content type, which you cannot do with access rules.

Note         When the Bandwidth Management Type on the Firewall Settings > BWM page is set to WAN, bandwidth management policies defined with Firewall > Access Rules always have priority over application layer bandwidth management policies. Thus, if an access rule bandwidth management policy is applied to a certain connection, then an application layer bandwidth management policy will never be applied to that connection.
When the Bandwidth Management Type is set to Global, the reverse is true, giving App Control bandwidth management policies priority over Firewall Access Rule bandwidth management policies.

For a bandwidth management use case, as an administrator you might want to limit .mp3 and executable file downloads during work hours to no more than 1 Mbps. At the same time, you want to allow downloads of productive file types such as .doc or .pdf up to the maximum available bandwidth, or even give the highest possible priority to downloads of the productive content. As another example, you might want to limit bandwidth for a certain type of peer-to-peer (P2P) traffic, but allow other types of P2P to use unlimited bandwidth. Application layer bandwidth management allows you to create policies to do this.

Actions Using Packet Monitoring

When the predefined Packet Monitor action is selected for a policy, SonicOS will capture or mirror the traffic according to the settings you have configured on the Dashboard > Packet Monitor or System > Packet Monitor page. The default is to create a capture file, which you can view with Wireshark. Once you have configured a policy with the Packet Monitor action, you still need to click Start Capture on the Packet Monitor page to actually capture any packets. After you have captured the desired packets, click Stop Capture.

To control the Packet Monitor action to capture only the packets related to your policy, click Configure on the Packet Monitor page and select Enable Filter based on the firewall/app rule on the Monitor Filter tab (see Figure 56:21). In this mode, after you click Start Capture on the Packet Monitor page, packets are not captured until some traffic triggers the App Control policy (or Firewall Access Rule). You can see the Alert message in the Log > View page when the policy is triggered. This works when Packet Monitor is selected in App Control policies created with the Create Rule button or with the App Rules method using an action object, or in Firewall Access Rules, and allows you to specify configuration or filtering for what to capture or mirror. You can download the capture in different formats and look at it in a Web page, for example.

Figure 56:21   Packet Monitor - Monitor Filter Tab

PktMonitor_config.png

 

To set up mirroring, go to the Mirror tab and pick an interface to which to send the mirrored traffic in the Mirror filtered packets to Interface (NSA platforms only) field under Local Mirroring Settings. You can also configure one of the Remote settings. This allows you to mirror the application packets to another computer and store everything on the hard disk. For example, you could capture everyone’s MSN Instant Messenger traffic and read the conversations.

See the “Configuring Packet Monitor” section on page 98 for more information about Packet Monitor configuration.

Create Rule from App Flow Monitor

The Dashboard > App Flow Monitor page provides a Create Rule button. If, while viewing the App Flow Monitor, you see an application that seems suspicious or is using excessive amounts of bandwidth, you can simply select the application in the list, then click Create Rule and configure an App Control policy for it immediately. You can also select multiple applications and then use Create Rule to configure a policy that applies to all of them.

Note         General applications cannot be selected. Service type applications and signature type applications cannot be mixed in a single rule.

Figure 56:22 shows the Create Rule window displayed over the Dashboard > App Flow Monitor page.

Figure 56:22   Dashboard > App Flow Monitor Page with Create Rule Window

CreateRule_AppFlowMon.png

 

The Create Rule feature is available from App Flow Monitor on the list view page setting. The Create Rule button is visible, but disabled, on the pie chart and graphical monitoring views.

You can configure the following types of policies in the Create Rule window:

Note        Bandwidth management must be enabled on each interface where you want to use it. You can configure interfaces from the Network > Interfaces page.

After you select the desired action for the rule and then click Create Rule within the Create Rule window, an App Control policy is automatically created and added to the App Rules Policies table on the Firewall > App Rules page.

The Create Rule window contains a Configure button next to the Bandwidth Manage section that takes you to the Firewall Settings > BWM page where you can configure the Global Priority Queue. For more information about global bandwidth management and the Firewall Settings > BWM page, see the Actions Using Bandwidth Management . The Bandwidth Manage options you see in the Create Rule window reflect the options that are enabled in the Global Priority Queue. The default values are:

App Control Advanced Policy Creation  

The configuration method on the Firewall > App Control Advanced page allows granular control of specific categories, applications, or signatures. This includes granular logging control, granular inclusion and exclusion of users, groups, or IP address ranges, and schedule configuration. The settings here are global policies and independent from any custom App Rules policy. The Firewall > App Control Advanced page is shown below.

You can configure the following settings on this page:

While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here or on the Firewall > Match Objects page, and use those match objects in an App Rules policy. This allows you to use the wide array of actions and other configuration settings available with Application Control. See the Application List Objects  for more information about this policy-based user interface for application control.

App Rules Policy Creation  

You can use Application Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match objects, properties, and specific prevention actions.When you create a policy, you first create a match object, then select and optionally customize an action, then reference these when you create the policy.

In the Firewall > App Rules page, you can access the Policy Settings screen, shown below for a Policy Type of SMTP Client. The screen changes depending on the Policy Type you select.

Some examples of policies include:

When you create a policy, you select a policy type. Each policy type specifies the values or value types that are valid for the source, destination, match object type, and action fields in the policy. You can further define the policy to include or exclude specific users or groups, select a schedule, turn on logging, and specify the connection side as well as basic or advanced direction types. A basic direction type simply indicates inbound or outbound. An advanced direction type allows zone to zone direction configuration, such as from the LAN to the WAN.

The following table describes the characteristics of the available App Rules policy types.

Policy Type

Description

Valid Source Service / Default

Valid Destination Service / Default

Valid Match Object Type

Valid Action Type

Connection Side

App Control Content

Policy using dynamic Application Control related objects for any application layer protocol

N/A

N/A

Application Category List, Application List, Application Signature List

Reset/Drop, No Action, Bypass DPI, Packet Monitor,
BWM Global-*, WAN BWM *

N/A

CFS

Policy for content filtering

N/A

N/A

CFS Category List

CFS Block Page, Packet Monitor, No Action,
BWM Global-*, WAN BWM *

N/A

Custom Policy

Policy using custom objects for any application layer protocol; can be used to create IPS-style custom signatures

Any / Any

Any / Any

Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action,
BWM Global-*, WAN BWM *

Client Side, Server Side, Both

FTP Client

Any FTP command transferred over the FTP control channel

Any / Any

FTP Control / FTP Control

FTP Command, FTP Command + Value, Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Client Side

FTP Client File Upload Request

An attempt to upload a file over FTP (STOR command)

Any / Any

FTP Control / FTP Control

Filename, file extension

Reset/Drop, Bypass DPI, Packet Monitor, No Action,
BWM Global-*, WAN BWM *

Client Side

FTP Client File Download Request

An attempt to download a file over FTP (RETR command)

Any / Any

FTP Control / FTP Control

Filename, file extension

Reset/Drop, Bypass DPI, Packet Monitor, No Action,
BWM Global-*, WAN BWM *

Client Side

FTP Data Transfer Policy

Data transferred over the FTP Data channel

Any / Any

Any / Any

File Content Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Both

HTTP Client

Policy which is applicable to Web browser traffic or any HTTP request that originates on the client

Any / Any

Any / HTTP (configurable)

HTTP Host, HTTP Cookie, HTTP Referrer, HTTP Request Custom Header, HTTP URI Content, HTTP User Agent, Web Browser, File Name, File Extension Custom Object

Reset/Drop, Bypass DPI, Packet MonitorA, No Action,
BWM Global-*, WAN BWM *

Client Side

HTTP Server

Response originated by an HTTP Server

Any / HTTP (configurable)

Any / Any

ActiveX Class ID, HTTP Set Cookie, HTTP Response, File Content Object, Custom Header, Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Server Side

IPS Content

Policy using dynamic Intrusion Prevention related objects for any application layer protocol

N/A

N/A

IPS Signature Category List, IPS Signature List

Reset/Drop, Bypass DPI, Packet Monitor, No Action,
BWM Global-*, WAN BWM *

N/A

POP3 Client

Policy to inspect traffic generated by a POP3 client; typically useful for a POP3 server admin

Any / Any

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action

Client Side

POP3 Server

Policy to inspect email downloaded from a POP3 server to a POP3 client; used for email filtering

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Any / Any

Email Body, Email CC, Email From, Email To, Email Subject, File Name, File Extension, MIME Custom Header

Reset/Drop, Disable attachment, Bypass DPI, No action

Server Side

SMTP Client

Policy applies to SMTP traffic that originates on the client

Any / Any

SMTP (Send Email)/ SMTP (Send Email)

Email Body, Email CC, Email From, Email To, Email Size, Email Subject, Custom Object, File Content, File Name, File Extension, MIME Custom Header,

Reset/Drop, Block SMTP E-Mail Without Reply, Bypass DPI, Packet Monitor, No Action

Client Side

APacket Monitor action is not supported for File Name or File Extension Custom Object.

Match Objects

Match objects represent the set of conditions which must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, regex, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.

Hexadecimal input representation is used to match binary content such as executable files, while alphanumeric (text) input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties fields. Regular expressions (regex) are used to match a pattern rather than a specific string or value, and use alphanumeric input representation.

The maximum size for a match object is 8192 (8K) bytes. Regular expressions have their own limitations which are imposed during the compilation process. If the size of a regular expression increases to much during compilation, the compiler will exit with an “abuse encountered” error message after the size exceeds the square of the initial regular expression size.

The File Content match object type provides a way to match a pattern or keyword within a compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.

The following table describes the supported match object types.

Object Type

Description

Match Types

Negative Matching

Extra Properties

ActiveX ClassID

Class ID of an Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a271-8fd5f117ba5f”

Exact

No

None

Application Category List

Allows specification of application categories, such as Multimedia., P2P, or Social Networking

N/A

No

None

Application List

Allows specification of individual applications within the application category that you select

N/A

No

None

Application Signature List

Allows specification of individual signatures for the application and category that you select

N/A

No

None

CFS Allow/Forbidden List

Allows specification of allowed and forbidden domains for Content Filtering

Exact, Partial, Regex, Prefix, Suffix

No

None

CFS Category List

Allows selection of one or more Content Filtering categories

N/A

No

A list of 64 categories is provided to choose from

Custom Object

Allows specification of an IPS-style custom set of conditions.

Exact, Regex

No

There are 4 additional, optional parameters that can be set: offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), minimum payload size and maximum payload size.

Email Body

Any content in the body of an email.

Partial, Regex

No

None

Email CC (MIME Header)

Any content in the CC MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email From (MIME Header)

Any content in the From MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email Size

Allows specification of the maximum email size that can be sent.

N/A

No

None

Email Subject (MIME Header)

Any content in the Subject MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Email To (MIME Header)

Any content in the To MIME Header.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

MIME Custom Header

Allows for creation of MIME custom headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

File Content

Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed.

Partial, Regex

No

‘Disable attachment’ action should never be applied to this object.

Filename

In cases of email, this is an attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Filename Extension

In cases of email, this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file.

Exact

Yes

None

FTP Command

Allows selection of specific FTP commands.

N/A

No

None

FTP Command + Value

Allows selection of specific FTP commands and their values.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Cookie Header

Allows specification of a Cookie sent by a browser.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Host Header

Content found inside of the HTTP Host header. Represents hostname of the destination server in the HTTP request, such as www.google.com.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Referrer Header

Allows specification of content of a Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP Request Custom Header

Allows handling of custom HTTP Request headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

HTTP Response Custom Header

Allows handling of custom HTTP Response headers.

Exact, Partial, Regex, Prefix, Suffix

Yes

A Custom header name needs to be specified.

HTTP Set Cookie Header

Set-Cookie headers. Provides a way to disallow certain cookies to be set in a browser.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

HTTP URI Content

Any content found inside of the URI in the HTTP request.

Exact, Partial, Regex, Prefix, Suffix

No

None

HTTP URL

Any content found inside of either the HTTP Host header or the URI in the HTTP request.

Exact, Partial, Regex, Prefix, Suffix

No

None

HTTP User-Agent Header

Any content inside of a User-Agent header. For example: User-Agent: Skype.

Exact, Partial, Regex, Prefix, Suffix

Yes

None

Web Browser

Allows selection of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome).

N/A

Yes

None

IPS Signature Category List

Allows selection of one or more IPS signature groups. Each group contains multiple pre-defined IPS signatures.

N/A

No

None

IPS Signature List

Allows selection of one or more specific IPS signatures for enhanced granularity.

N/A

No

None

You can see the available types of match objects in a drop-down list in the Match Object Settings screen.

In the Match Object screen, you can add multiple entries to create a list of content elements to match. All content that you provide in a match object is case-insensitive for matching purposes. A hexadecimal representation is used to match binary content. You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for binary files. For more information about these tools, see the following sections:

You can use the Load From File button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move Application Control settings from one SonicWALL security appliance to another.

Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.

A match object can include a total of no more than 8000 characters. If each element within a match object contains approximately 30 characters, then you can enter about 260 elements. The maximum element size is 8000 bytes.

Regular Expressions

You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions or to select from predefined regular expressions. The SonicWALL implementation supports reassembly-free regular expression matching on network traffic. This means that no buffering of the input stream is required, and patterns are matched across packet boundaries.

Policies using regular expressions will match the first occurrence of the pattern in network traffic. This enables actions on matches as soon as possible. Because matching is performed on network traffic and not only on human-readable text, the matchable alphabet includes the entire ASCII character set – all 256 characters. Popular regular expression primitives such as ‘.’, (the any character wildcard), *, ?, +, repetition count, alternation, and negation are supported.

To maintain peak performance, certain regular expression features are not supported. Back-references are not supported because they cannot be done in linear time with respect to the network packet length. Substitution or translation functionality are also not supported, because regular expressions are used only for inspection of network traffic rather than for modifying any part of the traffic.

Predefined regular expressions for U.S. social security numbers and VISA credit card numbers can be selected during configuration, or you can configure a custom regular expression. Regular expressions are parsed, and any that do not parse correctly will cause a syntax error to display at the bottom of the Match Object Settings window. After successful parsing, the regular expression is passed to a compiler to create the data-structures necessary for scanning network traffic in real time.

The compilation process can be lengthy and can consume extensive amounts of memory on the appliance for certain complex regular expressions. To prevent excessive impact to appliance management responsiveness, the compiler aborts the data-structure construction when its size exceeds the square of the regular expression size, and an “abuse encountered” error message displays on the window.

Note         During a lengthy compilation, the appliance management session may become temporarily unresponsive, while network traffic continues to pass through the appliance.

For example, a user creates a Regex Match object for a credit card number, with the following erroneous construction:

[1-9][0-9]{3} ?[0-9]{4} ?[0-9]{4} ?[0-9]{4}

Using this object, he attempts to build a policy. After clicking OK, the appliance displays a “Please wait…” message, and the management session is unresponsive.

This behavior occurs because, in custom object and file content match objects, regular expressions are implicitly prefixed with a dot asterisk (.*). A dot (.) matches any of the 256 ASCII characters except ‘\n’. This fact, the match object type used, and the nature of the regular expression in combination caused the control plane to take a long time to complete compilation of the data structures.

The fix for this is to prefix the regular expression with a '\D' to precede the credit card number by a non-digit character, which actually makes the regular expression more accurate.

Additionally, the regular expression shown above does not accurately represent the intended credit card number. The regular expression in its current form can match several false positives, such as 1234 12341234 1234. A more accurate representation is the following:

\D[1-9][0-9]{3} [0-9]{4} [0-9]{4} [0-9]{4}

or

\D[1-9][0-9]{3}[0-9]{4}[0-9]{4}[0-9]{4}

which can be written more concisely as:

\D[1-9]\d{3}( \d{4}){3}

or

\D[1-9]\d{3}(\d{4})[3}

respectively.

These can be written as two regular expressions within one match object or can be further compressed into one regular expression such as:

\D[1-9]\d{3}(( \d[4}){3}|(\d[12]))

You can also capture credit card numbers with digits separated by a '-' with the following regular expression:

\D[1-9]\d{3}(( \d{4}){3}|(-\d{4}){3}|(\d[12]))

The preceding \D should be included in all of these regular expressions.

Regular Expression Syntax Tables

The following tables show the syntax used in building regular expressions.

Table 1: Single Characters

Representation

Definition

.

Any character except ‘\n’. Use /s (stream mode, also known as single–line mode) modifier to match ‘\n’ too.

[xyz]

Character class. Can also give escaped characters. Special characters do not need to be escaped as they do not have special meaning within brack­ets [ ].

[^xyz]

Negated character class.

\xdd

Hex input. “dd” is the hexadecimal value for the character. Two digits are mandatory. For example, \r is \x0d and not \xd.

[a-z][0-9]

Alphanumeric range (non-alphanumeric range is not supported).

Table 2: Composites

Representation

Definition

xy

x followed by y

x|y

x or y

(x)

Equivalent to x. Can be used to override precedences.

Table 3: Repetitions

Representation

Definition

x*

Zero or more x

x?

Zero or one x

x+

One or more x

x{n, m}

Minimum of n and a maximum of m sequential x’s. All numbered repetitions are expanded. So, making m unreasonably large is ill-advised.

x{n}

Exactly n x’s

x{n,}

Minimum of n x’s

x{,n}

Maximum of n x’s

Table 4: Escape Sequences

Representation

Definition

\a, \b, \f, \t, \n, \r, \v

C programming language escape sequences.

\x

Hexadecimal input. \x followed by two digits denotes the hexadecimal value for the intended character.

\*, \?, \+, \(, \), \[, \], \{, \}, \\, \/.

Escape any special character.

Table 5: Perl-like Character Classes

Representation

Definition

\d, \D

Digits, Non-digits.

\z, \Z

Non-zero digits ([1-9]), All other characters.

\s, \S

White space, Non-white space. Equivalent to [\t\n\f\r]. \v is not included in Perl white spaces.

\w, \W

Word characters, Non-word characters Equivalent to [0-9A-Za-z_].

Table 6: Other ASCII Character Class Primitives

If you want...

... then use

 

[:cntrl:]

\c, \C

Control character. [\x00 - \x1F\x7F]

[:digit:]

\d, \D

Digits, Non-Digits. Same as PERL character class.

[:graph:]

\g, \G

Any printable character except space.

[:xdigit:]

\h, \H

Any hexadecimal digit. [a-fA-F0-9]. Note this is different from the Perl \h, which means a horizontal space.

[:lower:]

\l, \L

Any lower case character

[:ascii:]

\p, \P

Positive, Negative ASCII characters. [0x00 – 0x7F], [0x80 – 0xFF]

[:upper:]

\u, \U

Any upper case character

Some of the other popular character classes can be built from the above primitives. The following classes do not have their own short-hand due of the lack of a nice mnemonic for any of the remaining characters used for them.

Table 7: Compound Character Classes

If you want...

... then use

 

[:alnum:]

= [\l\u\d]

The set of all characters and digits.

[:alpha:]

= [\l\u]

The set of all characters.

[:blank:]

= [\t<space>]

The class of blank characters: tab and space.

[:print:]

= [\g<space>]

The class of all printable characters: all graphical characters including space.

[:punct:]

= [^\P\c<space>\d\u\l]

The class of all punctuation characters: no negative ASCII characters, no control characters, no space, no digits, no upper or lower characters.

[:space:]

= [\s\v]

All white space characters. Includes PERL white space and the vertical tab character.

Table 8: Modifiers

Representation

Definition

/i

Case-insensitive

/s

Treat input as single-line. Can also be thought of as stream-mode. That is, ‘.’ matches ‘\n’ too.

Table 9: Operators in Decreasing Order of Precedence

Operators

Associativity

[ ], [^]

Left to right

()

Left to right

*, +, ?

Left to right

. (Concatenation)

Left to right

|

Left to right

 

Negative Matching

Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except a particular type of content. When you use the object in a policy, the policy will execute actions based on absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched.

Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .txt attachments and block attachments of all other file types. Or you can allow a few types, and block all others.

Not all match object types can utilize negative matching. For those that can, you will see the Enable Negative Matching checkbox on the Match Object Settings screen.

 

Application List Objects

The Firewall > Match Objects page also contains the Add Application List Object button, which opens the Create Match Object screen. This screen provides two tabs:

Application Filters

The Application tab provides a list of applications for selection. You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. You can also search for a keyword in all application names by typing it into the Search field near the top right of the display. For example, type in “bittorrent” into the Search field and click the Search icon to find multiple applications with “bittorrent” (not case-sensitive) in the name.

When the application list is reduced to a list that is focussed on your preferences, you can select the individual applications for your filter by clicking the Plus icon next to them, and then save your selections as an application filter object with a custom name or an automatically generated name. The image below shows the screen with all categories, threat levels, and technologies selected, but before any individual applications have been chosen.

AppCtrl_application_filter.png

 

As you select the applications for your filter, they appear in the Application Group field on the right. You can edit the list in this field by deleting individual items or by clicking the eraser to delete all items. The image below shows several applications in the Application Group field. The selected applications are also marked with a green checkmark icon in the application list on the left side.

AppCtrl_application_filter2.png

 

When finished selecting the applications to include, you can type in a name for the object in the Match Object Name field (first, clear the Auto-generate match object name checkbox) and click the Save Application Match Object button. You will see the object name listed on the Firewall > Match Objects page with an object type of Application List. This object can then be selected when creating an App Rules policy.

Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

Category Filters

The Category tab provides a list of application categories for selection. You can select any combination of categories and then save your selections as a category filter object with a custom name. The image below shows the screen with the description of the IM category displayed.

AppCtrl_category_filter.png

 

You can hover your mouse pointer over each category in the list to see a description of it. To create a custom category filter object, simply type in a name for the object in the Match Object Name field (first, clear the Auto-generate match object name checkbox), select one or more categories, and click the Save Category Match Object button. You will see the object name listed on the Firewall > Match Objects page with an object type of Application Category List. This object can then be selected when creating an App Rules policy.

Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

Action Objects

Action Objects define how the App Rules policy reacts to matching events. You can choose a customizable action or select one of the predefined, default actions.

The predefined actions are displayed in the App Control Policy Settings page when you add or edit a policy from the App Rules page.

A number of BWM action options are also available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall Settings > BWM page. If the Bandwidth Management Type is set to Global, all eight levels of BWM are available. If the Bandwidth Management Type is set to WAN, the predefined actions list includes three levels of WAN BWM. For more information about BWM actions, see the Actions Using Bandwidth Management .

The following table shows predefined default actions that are available when adding a policy.

Always Available

If BWM Type = Global

If BWM Type = WAN

Reset / Drop

No Action

Bypass DPI

Packet Monitor

BWM Global-Realtime

BWM Global-Highest

BWM Global-High

BWM Global-Medium High

BWM Global-Medium

BWM Global-Medium Low

BWM Global-Low

BWM Global-Lowest

WAN BWM High

WAN BWM Medium

WAN BWM Low

The following customizable actions are displayed in the Add/Edit Action Object window when you click Add New Action Object on the Firewall > Action Objects page:

See the table below for descriptions of these action types.

Note that only the customizable actions are available for editing in the Action Object Settings window, shown in the image below. The predefined actions cannot be edited or deleted. When you create a policy, the Policy Settings screen provides a way for you to select from the predefined actions along with any customized actions that you have defined.

The following table describes the available action types.

Action Type

Description

Predefined or Custom

BWM Global-Realtime

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of zero.

Predefined

BWM Global-Highest

 Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of one.

Predefined

BWM Global-High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 30%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of two.

Predefined

BWM Global-Medium High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of three.

Predefined

BWM Global-Medium

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 50%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of four.

Predefined

BWM Global-Medium Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of five.

Predefined

BWM Global-Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 20%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of six.

Predefined

BWM Global-Lowest

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of seven.

Predefined

Bypass DPI

Bypasses Deep Packet Inspection components IPS, GAV, Anti-Spyware and Application Control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for Application Control inspection. This action supports proper handling of the FTP data channel. Note that Bypass DPI does not stop filters that are enabled on the Firewall Settings > SSL Control page.

Predefined

No Action

Policies can be specified without any action. This allows “log only” policy types.

Predefined

Packet Monitor

Use the SonicOS Packet Monitor capability to capture the inbound and outbound packets in the session, or if mirroring is configured, to copy the packets to another interface. The capture can be viewed and analyzed with Wireshark.

Predefined

Reset / Drop

For TCP, the connection will be reset. For UDP, the packet will be dropped.

Predefined

WAN BWM High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth.

Predefined

WAN BWM Medium

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth.

Predefined

WAN BWM Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth.

Predefined

Block SMTP Email - Send Error Reply

Blocks SMTP email and notifies the sender with a customized error message.

Custom

Disable Email Attachment - Add Text

Disables attachment inside of an email and adds customized text.

Custom

Email - Add Text

Appends custom text at the end of the email.

Custom

FTP Notification Reply

Sends text back to the client over the FTP control channel without terminating the connection.

Custom

HTTP Block Page

Allows a custom HTTP block page configuration with a choice of colors.

Custom

HTTP Redirect

Provides HTTP Redirect functionality. For example, if someone would like to redirect people to the Google Web site, the customizable part will look like: http://www.google.com
If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost.

Custom

Bandwidth Management

Allows definition of bandwidth management constraints with same semantics as Access Rule BWM policy definition.

Custom

A priority setting of zero is the highest priority. Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.

For a Bandwidth Management Type of WAN, total available bandwidth is defined by the values entered for Available Interface Egress/Ingress Bandwidth when configuring the WAN interface from the Network > Interfaces page. See the Configuring Application Layer Bandwidth Management for more information.

Email Address Objects

Application Control allows the creation of custom email address lists as email address objects. You can only use email address objects in an SMTP client policy configuration. Email address objects can represent either individual users or the entire domain. You can also create an email address object that represents a group by adding a list of individual addresses to the object. This provides a way to easily include or exclude a group of users when creating an SMTP client policy.

For example, you can create an email address object to represent the support group:

After you define the group in an email address object, you can create an SMTP client policy that includes or excludes the group.

In the screenshot below, the settings exclude the support group from a policy that prevents executable files from being attached to outgoing email. You can use the email address object in either the MAIL FROM or RCPT TO fields of the SMTP client policy. The MAIL FROM field refers to the sender of the email. The RCPT TO field refers to the intended recipient.

Although Application Control cannot extract group members directly from Outlook Exchange or similar applications, you can use the member lists in Outlook to create a text file that lists the group members. Then when you create an email address object for this group, you can use the Load From File button to import the list from your text file. Be sure that each email address is on a line by itself in the text file.

Licensing Application Control

Application Intelligence and Control has two components:

App Visualization and App Control are licensed together in a bundle with other security services including SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).

Note         Upon registration on MySonicWALL, or when you load SonicOS 5.8 onto a registered SonicWALL device, supported SonicWALL appliances begin an automatic 30-day trial license for App Visualization and App Control, and application signatures are downloaded to the appliance.

A free 30-day trial is also available for the other security services in the bundle, but it is not automatically enabled as it is for App Visualization and App Control. You can start the additional free trials on the individual Security Services pages in SonicOS, or on MySonicWALL.

Once the App Visualization feature is manually enabled on the Log > Flow Reporting page (see the screenshot below), you can view real-time application traffic on the Dashboard > Real-Time Monitor page and application activity in other Dashboard pages for the identified/classified flows from the SonicWALL application signature database.

AppVisualization_enabled.png

 

To begin using App Control, you must enable it on the Firewall > App Control Advanced page. See the screenshot below.

AppControl_enabled.png

 

To create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rules page. See the screenshot below.

AppRules_enabled.png

 

The SonicWALL Licensing server provides the App Visualization and App Control license keys to the SonicWALL device when you begin a 30-day trial (upon registration) or purchase a Security Services license bundle.

Licensing is available on www.mysonicwall.com on the Service Management - Associated Products page under GATEWAY SERVICES.

The Security Services license bundle includes licenses for the following subscription services:

Application signature updates and signature updates for other Security Services are periodically downloaded to the SonicWALL appliance as long as these services are licensed.

Note         If you disable Visualization in the SonicOS management interface, application signature updates are discontinued until the feature is enabled again.

When High Availability is configured between two SonicWALL appliances, the appliances can share the Security Services license. To use this feature, you must register the SonicWALL appliances on MySonicWALL as Associated Products. Both appliances must be the same SonicWALL model.

Note         For a High Availability pair, even if you first register your appliances on MySonicWALL, you must individually register both the Primary and the Backup appliances from the SonicOS management interface while logged into the individual management IP address of each appliance. This allows the Backup unit to synchronize with the SonicWALL license server and share licenses with the associated Primary appliance. When Internet access is restricted, you can manually apply the shared licenses to both appliances.

Note         App Visualization and App Control are not supported on the SonicWALL TZ 200 or 100 series appliances. These features are supported on SonicWALL TZ 210 series appliances, and on SonicWALL NSA appliances except the NSA 2400MX.