Policies_Firewall_BandwidthObjects_Snwls
Bandwidth management configuration is based on policies which specify bandwidth limitations for traffic classes. A complete bandwidth management policy consists of two parts: a classifier and a bandwidth rule.
A classifier specifies the actual parameters, such as priority, guaranteed bandwidth, and maximum bandwidth, and is configured in a bandwidth object. Classifiers identify and organize packets into traffic classes by matching specific criteria.
This feature is available in SonicOS 6.1 and above.
The following configuration options are available in the Bandwidth Objects list:
• Select bandwidth objects using the checkboxes next to the name of the objects. You can also select all objects by clicking the checkbox in the header.
• Edit bandwidth objects by clicking the Edit icon for that object.
• Delete bandwidth object by clicking the Delete icon for that object. You can also select multiple objects, then click the Delete Bandwidth Object(s) link.
• Hover the pointer over the Comment icon to display comments about the bandwidth object.
This section contains the following subsections:
• Search for a Bandwidth Object
1. Click the Search drop-down menus and select from the following search filters:
|
2. Enter the search criteria (for the filters you selected) in the text-field, and then click the Search button.
1. Click the Add New Bandwidth Object link.
2. Enter a name for the new bandwidth object.
3. In the Guaranteed Bandwidth box, enter the amount of bandwidth that this bandwidth object will guarantee to provide for a traffic class (in kbps or Mbps).
4. In the Maximum Bandwidth box, enter the maximum amount of bandwidth that this bandwidth object will provide for a traffic class.
5. The actual allocated bandwidth may be less than this value when multiple traffic classes compete for a shared bandwidth.
6. In the Traffic Priority box, enter the priority that this bandwidth object will provide for a traffic class. The highest priority is 0. The lowest priority is 7.
7. When multiple traffic classes compete for shared bandwidth, classes with the highest priority are given precedence.
8. In the Violation Action box, enter the action that this bandwidth object will provide (delay or drop) when traffic exceeds the maximum bandwidth setting.
9. Delay specifies that excess traffic packets will be queued and sent when possible.
10. Drop specifies that excess traffic packets will be dropped immediately.
11. In the Comment box, enter a text comment or description for this bandwidth object.
12. Click the Elemental tab.
13. If you want each individual IP address under its parent rule to be applied to the bandwidth management setting, click the Enable Per-IP Bandwidth Management checkbox.
14. Enter the desired Maximum Bandwidth in Kbps or Mbps.
The following use cases are presented in this section:
• Controlling Email Attachments
• Controlling Risky Applications
App Control can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. However, because the file name extension is being matched in this case, changing the extension before sending the attachment will bypass filtering. Note that you can also prevent attachments in this way on your email server if you have one. If not, then App Control provides the functionality.
Another way to control attachments is by creating a match object that scans for file content matching strings such as “confidential”, “internal use only” and “proprietary”. A policy using such a match object implements basic controls over the transfer of proprietary data.
You can also create a policy that prevents email to or from a specific domain or a specific user. You can use App Control to limit email file size, but not to limit the number of attachments. App Control can also block files based on MIME type.
App Control can scan email attachments that are text-based or are compressed to one level, but not encrypted.
In this example, we create a policy that blocks executable attachments except when they are sent by a member of the Support team. To do this we define an email address object containing the email addresses of the Support team, then define a match object to match file name extensions of executable files, then define an action object to strip the attachment and give the user a message, and finally define an App Rules policy that uses all these objects.
See the following sections for the necessary procedures:
• Creating a Support Team Email Address Object
• Creating a Match Object for Executable File Extensions
• Creating an Action Object for Blocking the Email
• Creating an SMTP Client App Rules Policy
Creating a Support Team Email Address Object
First, create an email address object for the Support team:
1. On the Firewall > Email Address Objects page, click Add New Email Address Object.
2. In the Email Address Object page, type a descriptive name for the object into the Email Address Object Name field, such as “Support team”.
3. Select Exact Match from the Match Type pull-down list. For an exact match, you must provide both the username and the domain parts of the email addresses to include in the object.
4. In the Content field, type in the first email address or alias used by the Support team, then click Add. The address is copied into the List box.
5. If more than one email address is used by the Support team, repeat Step 4 until all desired email addresses are included in the List box.
6. Click OK. The Modify Task Description and Schedule window displays.
7. To view all the options for Schedule, click the arrow to its right.
8. For this example, select Immediate to create the object immediately.
9. Click Accept to save the email address object with the selected schedule.
The new object is listed on the Firewall > Email Address Objects page.
Creating a Match Object for Executable File Extensions
Next, create a match object that matches file names with extensions such as .exe, indicating that they are executable:
1. On the Firewall > Match Objects page, click Add New Match Object.
2. In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object, such as “Executable Files”.
3. Using the Match Object Type pull-down list, select File Extension.
4. The Match Type field is set to Exact Match; there are no other choices in this case.
5. For the Input Representation, click Alphanumeric.
6. Leave the Enable Negative Matching checkbox cleared.
7. In the Content text box, type the executable file name extensions to match, and then click Add after each one. For this case, we add exe, vbs, bat, awk, and cgi, The extensions appear in the List text box.
8. Click OK. The Modify Task Description and Schedule window displays.
9. For the Schedule, select Immediate to create the object immediately.
10. Click Accept to save the match object with the selected schedule.
The new object is listed on the Firewall > Match Objects page.
Creating an Action Object for Blocking the Email
Now we need to create an action object that will block the email when executable attachments are found. We could use the predefined Block SMTP E-Mail Without Reply action, but we will create a custom action object that will provide an explanation of why the attachment was blocked. However, it would be more secure to use the predefined action in most situations.
To create the action object:
1. On the Firewall > Action Objects page, click Add New Action Object.
2. In the Action Object Settings window, in the Action Name text box, type a descriptive name for the object, such as “Block email with executable”.
3. In the Action pull-down list, select Disable E-Mail Attachment - Add Text.
4. In the Content text box, type the explanation that you want users to see, such as “Executable attachments are not allowed.”
5. Click OK. The Modify Task Description and Schedule window displays.
6. For the Schedule, select Immediate to create the object immediately.
7. Click Accept to save the action object with the selected schedule.
The new object is listed on the Firewall > Action Objects page.
Creating an SMTP Client App Rules Policy
The next step is to create an App Rules policy that uses our email address object and match object, and combines them with an action object to block executable attachments except in email from members of the Support team.
To create the App Rules policy:
1. On the Firewall > App Rules page, click Add New Policy.
2. In the App Control Policies Settings window, type a descriptive name such as “Block Executable Attachments” into the Policy Name field.
3. Select SMTP Client from the Policy Type pull-down list.
4. Leave Any as the source and destination in the Address pull-down lists.
5. The Service pull-down lists do not provide a choice of service. The Source is Any, and the Destination is SMTP (send E-Mail).
6. For Exclusion Address, select None from the pull-down list.
7. In the Match Object pull-down list, select the Executable Files match object that was just created.
8. In the Action pull-down list., select the Block email with executable action that was just created.
9. For Users/Groups, select All from the pull-down list under Included and select None in the Excluded pull-down list.
10. For MAIL FROM, select Any from the pull-down list under Included and select the Support team email address object in the Excluded pull-down list. The Support team email addresses will not be affected by the policy.
11. For RCPT TO, select Any from the pull-down list under Included and select None in the Excluded pull-down list.
12. For Schedule, select Always on from the pull-down list.
13. Leave the Enable Flow Reporting checkbox cleared.
14. If you want the policy to create a log entry when a match is found, select the Enable Logging checkbox.
15. To record more details in the log, select the Log individual object content checkbox.
16. For Log Redundancy Filter, select Use Global Settings to use the global value set on the Firewall > App Rules page.
17. For Connection Side, only Client Side is available in the pull-down list.
18. For Direction, select the Basic radio button and select Both in the pull-down list.
19. Click OK. The Modify Task Description and Schedule window displays.
20. For the Schedule, select Immediate to create the policy immediately.
21. Click Accept to save the policy with the selected schedule.
The new policy is listed on the Firewall > App Rules page.
Controlling Risky Applications
The SonicWALL application signature databases are part of the App Control feature, allowing very granular control over policy configuration and actions relating to them. These signature databases are used to protect users from application vulnerabilities as well as worms, Trojans, peer-to-peer transfers, spyware, and backdoor exploits. The extensible signature language used in the SonicWALL Reassembly Free Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities.
App Control provides two ways to create policies for controlling applications. On the Firewall > App Control Advanced page, you can quickly create a policy for a specific category, application, or signature. You can select blocking, logging, or both to control the traffic. While a category includes many applications, this method does not allow you to control applications belonging to more than one category with a single policy. Similarly, while an application can include multiple signatures, you cannot include signatures from different applications in a policy, unless you create a policy for the whole category.
By using the Add Application List Object feature on the Firewall > Match Objects page, you can achieve more granularity and select specific applications from different categories. Then, this object can be used in an App Rules policy.
To include signatures from different applications in a single policy, you need to use the Add New Match Object feature with a Match Object Type of Application Signature List. This allows you to select any signature from the same database that is used for Firewall > App Control Advanced, no matter what category or application the signature belongs to, and add them into a single match object. You can then create an App Rules policy using this match object to control those specific signatures.
Our example in this use case uses the Add Application List Object feature to create an object containing the riskiest applications in the database. We then create an App Rules policy using this object, and block the application traffic using the predefined Reset/Drop action.
See the following sections:
• Creating the Application List Object
• Creating an App Control Content App Rules Policy
Creating the Application List Object
This procedure shows how to select the riskiest applications in the database, and create a single object containing them.
To create the application list object:
1. In the TreeControl, select the unit or group to configure.
2. Navigate to the Firewall > Match Objects page on the Policies tab.
3. Click the Add Application List Object button. The Add Application List Object screen displays.
4. On the Application tab, to name this object, clear the Auto-generate match object name checkbox and then type a name such as “Riskiest apps” for the object in the Match Object Name field.
5. Leave all category checkboxes selected under Category at the top left.
6. Under Threat Level, clear all threat level checkboxes except for the one next to SEVERE. The list of applications in the lower panel changes as you clear the threat level checkboxes.
7. Leave all technology checkboxes selected under Technology.
The screen now shows all applications that have a threat level of SEVERE.
If you want to see the signatures included by any of the applications, click the arrow next to the application name to expand the details for it.
8. In the application list where you see the names of all the SEVERE rated applications, click the Plus sign next to Name to select all of the listed applications for your object. A dialog box pops up to warn you that selecting the entire list may take awhile. In our case, it will not take too long since there are only a dozen or so applications in the list.
9. Click OK in the warning dialog box. All of the Plus signs change to green check marks, and the applications are added to the Application Group field on the right.
10. Click the OK button. The Modify Task Description and Schedule window displays.
11. For the Schedule, select Immediate to create the object immediately.
12. Click Accept to save the object with the selected schedule.
The new object is listed on the Firewall > Match Objects page.
Creating an App Control Content App Rules Policy
The next step is to create an App Rules policy that uses our application list object and combines it with an action object to block these risky applications.
To create the App Rules policy:
1. On the Firewall > App Rules page, click Add New Policy.
2. In the App Control Policies Settings window, type a descriptive name such as “Block Risky Apps” into the Policy Name field.
3. Select App Control Content from the Policy Type pull-down list.
4. Leave Any in the Address pull-down list.
5. Leave None in the Exclusion Address pull-down list.
6. In the Match Object pull-down list, select the Riskiest apps match object that was just created.
7. In the Action pull-down list., select the Reset/Drop predefined action.
8. For Users/Groups, select All from the pull-down list under Included and select None in the Excluded pull-down list.
9. For Schedule, select Always on from the pull-down list.
10. Optionally select the Enable Flow Reporting checkbox to enable internal and external flow reporting based on data flows, connection related flows, non-connection related flows regarding applications, viruses, spyware, intrusions, and other information.
11. Select the Enable Logging checkbox. This causes the policy to create a log entry when a match is found.
12. Optionally, to record more details in the log, select the Log individual object content checkbox.
13. Select the Log using App Control message format checkbox. This changes logging to display the category in the log entry as “Application Control”, and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
14. For Log Redundancy Filter, select Global Settings. This uses the global value set on the Firewall > App Rules page. Alternatively, you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
15. Select Any from the Zone pull-down list to apply this policy to all zones.
16. Click OK. The Modify Task Description and Schedule window displays.
17. For the Schedule, select Immediate to create the policy immediately.
18. Click Accept to save the policy with the selected schedule.
The new policy is listed on the Firewall > App Rules page.
