Sonicwall SONICOS 5.8 Application control manual
Application Control / Application Firewall
in SonicOS Enhanced 5.8
Document Scope
This document describes how to configure and manage the Application Control and Application Firewall
features in SonicOS 5.8.
This document contains the following sections:
• “Application Control / Application Firewall Overview” on page 1
• “Licensing Application Control / Application Firewall” on page 25
• “Using Application Firewall and Application Control” on page 26
• “Useful Tools” on page 45
• “Use Cases” on page 52
• “Glossary” on page 80
Application Control / Application Firewall Overview
This section provides an introduction to the SonicOS 5.8 Ap plication Contro l and Application Fi rewall
features. This section contains the following subsections:
• “What are Application Control and Application Firewall?” on page 1
• “Benefits” on page 3
• “How Do Application Control and Application Firewall Work?” on page 4
• “Supported Platforms” on page 2 4
• “Supported Standards” on page 25
What are Application Control and Application Firewall?
In SonicOS 5.8, the Application Firewall feature of previous SonicOS releases has been significantly
enhanced with Application Control functionality. As part of this solution, the set of application relevant
signatures have been extracted from the existing set of IPS signatures and placed under the realm of the
Application Control feature. This change impacts the way that application control policies and dynamic
objects are configured and used.
Application Control and Application Firewall in SonicOS 5.8
#
Using Application Control
About Application Control
SonicOS 5.8 introduces a new user interface for application control with the new Firewall > App Rules
Advanced page. This screen provides a simple and direct way of configuring application control rules. You
can enable blocking or logging for a whole category of applications with one click, and can easily locate and
do the same for an individual application or individual signature. Once enabled, the category, application,
or signature is blocked or logged globally without the need to create an Application Firewall policy.
In SonicOS 5.8, all of the application configuration which was previously available under Security Services
> Intrusion Prevention is now moved to the App Rules Advanced page, leaving IPS to handle threats and
attacks. This change means that applications have their own user interface now, and you no longer have to
configure them under Intrusion Prevention.
For flexibility, Application Firewall policies can access the same application controls for any of the
categories, applications, or signatures available in the new App Rules Advanced page, giving you an
alternative method of controlling applications in your network. This alternative is provided on the Match
Objects page where you can create Application List objects, Application Category List objects, and
Application Signature List objects for use as match objects in an Application Firewall policy.
About Application Firewall
Application Firewall is a solution to configure policy r u les for applic ation signatures. As a set of
application-specific policies, it gives you granular control over network traffic on the level of users, email
users, schedules, and IP-subnets. The primary functionality of this application-layer access control feature
is to regulate Web browsing, file transfer, email, and email attachments.
Application Firewall’ s digital rights management component provides the ability to scan files and docum ents
for content and keywords. Using Application Firewall, you can restrict transfer of certain file names, file
types, email attachments, attachment types, email with certain subjects, and email or attachments with
certain keywords or byte patterns. You can deny inter nal or exter nal network access based on various
criteria.
Based on SonicWALL’s Deep Packet Inspection technology, Application Firewall also features intelligent
prevention functionality which allows you to create custom, policy-based actions. Examples of custom
actions include the following:
• Disabling an attachment
• Sending a custom block page
• Sending a custom email reply
• Redirecting an HTTP request
• Sending a custom FTP reply over an FTP control channel
• Bandwidth throttling for file types when using the HTTP or FTP protocols
While Application Firewall primarily provides appl icatio n level access control, application layer bandwidth
management and digital rights management functionality, it also includes the ability to create pure custom
IPS signatures. You can create a custom policy that matches any protocol you wish, by matching a unique
piece of the protocol header. See “Custom Signature” on page 74.
22
Application Control and Application Firewall in SonicOS 5.8
Benefits
Using Application Control
Application Firewall provides excellent functionality for preventing the accidental transfer of proprietary
documents. For example, when using the automatic address completion feature of Outlook Exchange, it is
a common occurrence for a popular name to complete to the wrong address. See Figure 1 for an example.
Figure 1 Outlook Exchange Automatic Address Completion
The Application Control functionality provides the following benefits:
• Application based configuration makes it easier to configure policies for application control. This was
difficult when the configuration was part of Intrusion Prevention in previous releases, which required
administrators to configure all the individual signatures of an application in order to block it or apply a
policy to it.
• The Application Control subscription service provides updated signatures as new attacks emerge.
• The related Application Intelligence functionality, as seen in App Flow Monitor and the Real Time
Visualization Monitor, is available upon registration as a 30-day free trial App Visualization license. This
allows any registered SonicWALL appliance to clearly display information about application traffic in
the network. Note that the feature must be enabled in the SonicOS management interface to become
active.
• Administrators can configure policy settings for individual signatures without influencing other
signatures of the same application.
• Application Control configuration screens are moved to the Firewall menu in the SonicOS management
interface, consolidating all Firewall and Application Control/Application Firewall access rules and
policies in the same area.
Application Firewall functionality can be compared to three main categories of products:
• Standalone proxy appliances
• Application proxies integrated into firewall VPN appliances
• Standalone IPS appliances with custom signature support
Standalone proxy appliances are typically desig ned to provide granular access control for a specific protocol.
SonicWALL Application Firewall provides granular, application level access control across multiple
protocols, including HTTP, FTP, SMTP , and POP3. Because Application Firewall runs on your SonicW ALL
firewall, you can use it to control both inbound and outbound traffic, unlike a dedicated proxy appliance
that is typically deployed in only one direction. Application Firewall provides better performance and
scalability than a dedicated proxy appliance because it is based on SonicWALL’s proprietary Deep Packet
Inspection technology.
Application Control and Application Firewall
21
Using Application Control
Today’s integrated application proxies do not provide granular, application level access control, application
layer bandwidth management, and digital rights management functionality. As with dedicated proxy
appliances, SonicWALL Application Firewall provides much higher performance and far greater scalability
than integrated application proxy solutions.
While some standalone IPS appliances provide protocol decoding support, none of these products supports
granular, application level access control, application layer bandwidth management, and digital rights
management functionality.
In comparing Application Firewall to SonicWALL Email Security, there are benefits to using either. Email
Security only works with SMTP, but it has a very rich policy space. Application Firewall works with SMTP,
POP3, HTTP, FTP and other protocols, is integrated into SonicOS on the firewall, and has higher
performance than Email Security. However, Application Firewall does not offer all the policy options for
SMTP that are provided by Email Security.
How Do Application Control and Application Firewall Work?
Application Control and Application Firewall utilize SonicOS Dee p Packet Inspection to scan application
layer network traffic as it passes through the gateway and locate content that matches configured application
signatures or keywords, either in text or binary content. When a match is found, these features perform the
configured action. When you configure Application Control directly, you create global rules that define
whether to block or log the application, which users, groups, or IP address ranges to include or exclude, and
a schedule for enforcement. When you configure Application Firewall, you create policies that define the
type of applications to scan, the direction, the content or keywords to match, optionally the user or domain
to match, and the action to perform.
The following sections describe the main components of Application Control and Application Firewall:
• “Application Control” on pag e 5
• “Application Firewall Policies” on page 6
• “Match Objects” on page 9
• “Action Objects” on page 19
• “Email Address Objects” on page 23
22
Application Control and Application Firewall in SonicOS 5.8
Application Control
The configuration method on the Firewall > App Rules Advanced page is completely different from creating
Application Firewall policies, and the settings you make here act like global policies and are independent
from any Application Firewall policy. Figure 2 s hows the Firewall > App Rules Advanced page.
Figure 2 Firewall > App Rules Advanced Page
Using Application Control
You can configure the following settings on this page:
• Select a category, an application, or a signature.
• Select blocking, logging, or both as the action.
• Specify users, groups, or IP address ranges to include in or exclude from the action.
• Set a schedule for enforcing the controls.
While these application control settings are independent from Application Firewall policies, you can also
create application match objects for any of the categories, applications, or signatures available here, and use
those match objects in an Application Firewall policy. This allows you to use the wide array of actions and
other configuration settings available with Application Firewall. See the “Application List Objects” section
on page 15 for more infor mation about this policy-b ased user interface for application control.
The user interface and options on the Firewall > App Rules Advanced page are similar to those for
configuring Intrusion Prevention Service (IPS) on the Security Ser vices > Intr usion Prevention page. In
SonicOS 5.8, all of the application configuration which w as previously av ailable under IPS is no w mov ed to
application control, leaving IPS to handle threats and attacks. This change means that applications hav e their
own user interface now, and you no longer have to configure them under Intrusion Prevention. There are
some differences from the previous options, notably that the IPS configuration provided global settings,
categories, and signatures. In the new interface, there is no global level of configuration because there is no
priority for application control signatures. The new interface provides configuration options for categories,
applications, and signatures.
Application Control and Application Firewall
21
Using Application Control
Application Firewall Policies
You can use ApplicationFirewall to create custom policies to control specific aspects of traffic on your
network. A policy is a set of match objects, properties, and specific prevention actions.When you create a
policy, you first create a match object, then select and optionally customize an action, then reference these
when you create the policy.
In the Firewall > App Rules page, you can access the P olicy Settings screen, show n in Figure 3 for a P olicy
Type of SMTP Client. The screen changes depending on the Policy Type you select.
Figure 3 Policy Settings screen
22
Some examples of policies include:
• Block applications for activities such as gambling
• Disable .exe and .vbs email attachments
• Do not allow the Mozilla browser on outgoing HTTP connections
• Do not allow outgoing email or MS Word attac h ments with the keywords “SonicWALL Confidential”,
except from the CEO and CFO
• Do not allow outgoing email that includes a graphic or watermark found in all confidential documents
When you create a policy, you select a policy type. Each policy type specifies the values or value types that
are valid for the source, destination, matc h object type, and action fields in the policy . You can further define
the policy to include or exclude specific users or groups, select a schedule, turn on logging, and specify the
connection side as well as basic or advanced directi on types . A basic direction type simply indicates inbound
or outbound. An advanced direction type allows zone to zone direction configuration, such as from the
LAN to the WAN.
Application Control and Application Firewall in SonicOS 5.8
Table 1 describes the characteristics of the available policy types.
Table 1 Policy Types
Using Application Control
Policy
Type Description
App
Control
Content
Pol icy usin g
dynamic
Application
Control
related objects
for any
application
layer protocol
CFS Policy for
content
filtering
Custom
Policy
Pol icy usin g
custom
objects for
any
application
layer protocol;
can be used to
create
IPS-style
custom
signatures
FTP Client Any FTP
command
transferred
over the FTP
control
channel
FTP Client
File
Upload
Request
An attempt to
upload a file
over FTP
(STOR
command)
FTP Client
File
Download
Request
An attempt to
download a
file over FTP
(RETR
command)
Valid
Source
Service /
Default
Valid
Destination
Service /
Default
Valid Match
Object Type
N/A N/A Application
Category List,
Application
List,
Application
Signature List
N/A N/A CFS Categor y
List
Any / Any Any / Any Custom
Object
Any / Any FTP Control
/ FTP
Control
FTP
Command,
FTP
Command +
Value, Custom
Object
Any / Any FTP Control
/ FTP
Filename, file
extension
Control
Any / Any FTP Control
/ FTP
Filename, file
extension
Control
Valid Action
Type
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
CFS Block Page,
Packet Monitor,
Manage
Bandwidth, No
Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
No Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
Connection
Side
N/A
N/A
Client Side,
Server Side,
Both
Client Side
Client Side
Client Side
Application Control and Application Firewall
21
Using Application Control
Policy
Type Description
FTP Data
Transfer
Policy
Data
transferred
over the FTP
Data channel
HTTP
Client
Pol icy whic h
is applicable
to Web
browser
traffic or any
HTTP request
that originates
on the client
HTTP
Server
Response
originated by
an HTTP
Server
IPS
Content
Pol icy usin g
dynamic
Intrusion
Prevention
related objects
for any
application
layer protocol
POP3
Client
Pol icy to
inspect traffic
generat ed by a
POP3 client;
typically
useful for a
POP3 server
admin
Valid
Source
Service /
Default
Valid
Destination
Service /
Default
Valid Match
Object Type
Any / Any Any / Any File Content
Object
Any / Any Any / HTTP
(configurable
)
HTTP Host,
HTTP Cookie,
HTTP
Referrer,
HTTP
Request
Custom
Header,
HTTP URI
Content,
HTTP User
Agent, Web
Browser, File
Name, File
Extension
Custom
Object
Any /
HTTP
(configura
ble)
Any / Any ActiveX Class
ID, HTTP Set
Cookie, HTTP
Response
Custom
Header,
Custom
Object
N/A N/A IPS Signature
Category List,
IPS Signature
List
Any / Any POP3
(Retrieve
Custom
Object
Email) /
POP3
(Retrieve
Email)
Valid Action
Type
Reset/Drop,
Bypass DPI,
Packet Monitor,
No Action
Reset/Drop,
Bypass DPI,
Packet
Monitor*,
Manage
Bandwidth, No
Action
*Packet
Monitor action
not supported
for File Name
or File
Extension
Custom Object
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
Manage
Bandwidth, No
Action
Reset/Drop,
Bypass DPI,
Packet Monitor,
No Action
Connection
Side
Both
Client Side
Server Side
N/A
Client Side
22
Application Control and Application Firewall in SonicOS 5.8
Using Application Control
Policy
Type Description
POP3
Server
Pol icy to
inspect email
downloaded
from a POP3
server to a
POP3 client;
used for email
filtering
SMTP
Client
Pol icy appl ies
to SMTP
traffic that
originates on
the client
Valid
Source
Service /
Default
POP3
Valid
Destination
Service /
Default
Any / Any Email Body,
(Retrieve
Email) /
POP3
(Retrieve
Email)
Any / Any SMTP (Send
Email)/
SMTP (Send
Email)
Valid Match
Object Type
Email CC,
Email From,
Email To,
Email Subject,
File Name,
File
Extension,
MIME
Custom
Header
Email Body,
Email CC,
Email From,
Email To,
Email Size,
Email Subject,
Custom
Object, File
Content, File
Name, File
Extension,
MIME
Custom
Header,
Valid Action
Type
Reset/Drop,
Disable
attachment,
Bypass DPI, no
action
Reset/Drop,
Block SMTP
E-Mail Without
Reply, Bypass
DPI, Packet
Monitor, No
Action
Connection
Side
Server Side
Client Side
Match Objects
Match objects represent the set of conditions which must be matched in order for actions to take place. This
includes the object type, the match type (exact, partial, prefix, or suffix), the input representation (text or
hexadecimal), and the actual content to match. Match objects were referred to as application objects in
previous releases.
Hexadecimal input representation is used to match binary content such as executable files, while text input
representation is used to match things like file or email content. You can also use hexadecimal input
representation for binary content found in a graphic image. Text input representation could be used to
match the same graphic if it contains a certain string in one of its properties fields.
The maximum size for a match object is 8192 (8K) byte s . Because Application Firewall matches data at wire
speeds, match objects do not provide matching for regular expressions. You can use a proxy server for this
functionality.
The File Content match object type provides a way to match a pattern within a compressed file. This type
of match object can only be used with FTP Data Transfer or SMTP Client Policies.
Application Control and Application Firewall
21
Using Application Control
Table 2 describes the suppor ted match object types.
Object Type Description Match Types
ActiveX ClassID Class ID of an
Application Category
List
Application List Allows specification of
Application Signature
List
CFS Allow/Forbi dden
List
CFS Category List Allows selection of one
Table 2 Match Object Types
Exact No None
Active-X component.
For example, ClassID
of Gator Active-X
component is
“c1fb8842-5281-45cea271-8fd5f117ba5f ”
Allows specification of
N/A No None
application categories,
such as Multimedia.,
P2P, or Social
Networking
N/A No None
individual applications
within the application
category that you
select
Allows specification of
N/A No None
individual signatures
for the application and
category that you
select
Allows specification of
allowed and forbidden
Exact, Partial,
Prefix, Suffix
domains for Content
Filtering
N/A No A list of 64 categories
or more Content
Filtering categories
Negative
Matching Extra Properties
No None
is provided to choose
from
22
Application Control and Application Firewall in SonicOS 5.8
Object Type Description Match Types
Custom Object Allows specification of
Exact No There are 4 additional,
an IPS-style custom set
of conditions.
Email Body Any content in the
Partial No None
body of an email.
Email CC (MIME
Header)
Email From (MIME
Header)
Email Size Allows specification of
Any content in the CC
MIME Header.
Any content in the
From MIME Header.
Exact, Partial,
Prefix, Suffix
Exact, Partial,
Prefix, Suffix
N/A No None
the maximum email
size that can be sent.
Email Subject (MIME
Header)
Email To (MIME
Header)
MIME Custom Header Allows for creation of
Any content in the
Subject MIME Header.
Any content in the To
MIME Header.
MIME custom
Exact, Partial,
Prefix, Suffix
Exact, Partial,
Prefix, Suffix
Exact, Partial,
Prefix, Suffix
headers.
File Content Allows specification of
Partial No ‘Disable attachment’
a pattern to match in
the content of a file.
The pattern will be
matched even if the file
is compressed.
Using Application Control
Negative
Matching Extra Properties
optional parameters
that can be set: offset
(describes from what
byte in packet payload
we should start
matching the pattern –
starts with 1; helps
minimize false
positives in matching),
depth (describes at
what byte in the packet
payload we should
stop matching the
pattern – starts with
1), minimum payload
size and maximum
payload size.
Yes None
Yes None
Yes None
Yes None
Yes A Custom header
name needs to be
specified.
action should never be
applied to this object.
Application Control and Application Firewall
21
Using Application Control
Object Type Description Match Types
Filename In cases of email, this
Filename Extension In cases of email, this
FTP Command Allows selection of
FTP Command +
Value
HTTP Cookie Header Allows specification of
HTTP Host Header Content found inside
HTTP Referrer
Header
is an attachment name.
In cases of HTTP, this
is a filename of an
uploaded attachment
to the Web mail
account. In cases of
FTP, this is a filename
of an uploaded or
downloaded file.
is an attachment
filename extension. In
cases of HTTP , this is a
filename extension of
an uploaded
attachment to the Web
mail account. In cases
of FTP, this is a
filename extension of
an uploaded or
downloaded file.
specific FTP
commands.
Allows selection of
specific FTP
commands and their
values.
a Cookie sent by a
browser.
of the HTTP Host
header. Represents
hostname of the
destination server in
the HTTP request,
such as
www.google.com.
Allows specification of
content of a Referrer
header sent by a
browser – this can be
useful to control or
keep stats of which
Web sites redirected a
user to customer’ s W eb
site.
Negative
Matching Extra Properties
Exact, Partial,
Yes None
Prefix, Suffix
Exact Yes None
N/A No None
Exact, Partial,
Yes None
Prefix, Suffix
Exact, Partial,
Yes None
Prefix, Suffix
Exact, Partial,
Yes None
Prefix, Suffix
Exact, Partial,
Yes None
Prefix, Suffix
22
Application Control and Application Firewall in SonicOS 5.8
Object Type Description Match Types
HTTP Request
Custom Header
Allows creation of
custom HTTP Request
Exact, Partial,
Prefix, Suffix
headers.
HTTP Response
Custom Header
Allows creation of
custom HTTP
Exact, Partial,
Prefix, Suffix
Response headers.
HTTP Set Cookie
Header
Set-Cookie headers.
Provides a way to
Exact, Partial,
Prefix, Suffix
disallow certain
cookies to be set in a
browser.
HTTP URI Content Any content found
inside of the URI in
Exact, Partial,
Prefix, Suffix
the HTTP request.
HTTP User-Agent
Header
Any content inside of a
User-Agent header.
Exact, Partial,
Prefix, Suffix
For example:
User-Agent: Skype.
Web Browser Allows selection of
N/A Yes None
specific Web browsers
(MSIE, Netscape,
Firefox, Safari,
Chrome).
IPS Signature Category
List
Allows selection of one
or more IPS signature
N/A No None
groups. Each group
contains multiple
pre-defined IPS
signatures.
IPS Signature List Allows selection of one
N/A No None
or more specific IPS
signatures for
enhanced granularity.
Using Application Control
Negative
Matching Extra Properties
Yes A Custom header
name needs to be
specified.
Yes A Custom header
name needs to be
specified.
Yes None
No None
Yes None
Application Control and Application Firewall
21
Using Application Control
You can see available match object types in a drop-down list in the Match Object Setting screen:
Negative Matching
In the Match Object screen, you can add multiple entries to create a list of content elements to match. All
content that you provide in a match object is case-insensitive for matching purposes. A hexadecimal
representation is used to match binary content. You can use a hex editor or a network protocol analyzer lik e
Wireshark to obtain hex format for binary files. For more information about these tools, see the following
sections:
• “Wireshark” on page 45
• “Hex Editor” on page 48
You can use the Load From File button to import content from predefined text files that contain multiple
entries for a match object to match. Each entry in the file must be on its own line. The Load From File
feature allows you to easily move Application Firewall settings from one SonicWALL security appliance to
another.
Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are
matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.
A match object can include a total of no more than 8000 characters. If each element within a match object
contains approximately 30 characters, then you can enter about 260 elements. The maximum element size
is 8000 bytes.
Negative matching provides an alternate way to specify which content to block. You can enable negative
matching in a match object when you want to block everything except a particular type of content. When
you use the object in a policy, the policy will execute actions based on absence of the content specified in
the match object. Multiple list entries in a negative matching object are matched using the logical AND,
meaning that the policy action is executed only when all specified negative matching entries are matched.
22
Application Control and Application Firewall in SonicOS 5.8
Using Application Control
Although all Application Firewall policies are DENY pol icies, you can simulate an ALLOW policy by using
negative matching . For instance, you can allow email .txt attachments and block attachments of all other file
types. Or you can allow a few types, and block all others.
Not all match object types can utilize negative matching . For those that can, y ou will see the Enable Negative
Matching checkbox on the Match Object Settings screen.
Figure 4 Enable Negative Matchi ng Checkbox
Application List Objects
The Firewall > Match Objects page also contains the Add Application List Object button, which opens
the Create Filter Object screen. This screen provides three tabs:
• Security – You can set a Security Level Filter on this tab.
• Category – You can create a category filter object on this tab. A list of application cate gories and their
descriptions are provided. The Category page offers another way to create a match object of the
Application Category List type.
• Application – You can create an Application Filter Object on this tab. This screen allows selection of
the application category, threat level, type of technology, and attributes. After selections are made, the
list of applications matching those criteria is displayed. The Application tab provides another way to
create a match object of the Application List type.
Application Control and Application Firewall
21
Using Application Control
Security Level Filters
The Security tab provides a “slider” that represents the general level of application security and control
maintained by the firewall. The setting, or profile, you choose affects the ability of the firewall to make
important decisions about blocking or managing the bandwidth of applications, based on your preferences
for the level of application control. Figure 5 shows the slider in the Normal setting.
Figure 5 Security Tab
Each profile (Strict, Normal, and Loose) defines an action for each application, either to block, allow, or
manage bandwidth for it. The respective predefined actions are automatically applied to those applications
in accordance with the selected profile. When None is selected, there is no application control except for
the policies you configure.
You can choose between four levels of application security:
• None – The firewall makes no decisions on application level security policies and you ha v e full man ual
control over the rules and signatures.
• Loose – The firewall makes some decisions on traffic control by blocking obviously dangerous
applications and doing light management for bandwidth heavy applications.
• Normal – The firewall makes decisions on traffic control by blocking obviously dangerous applications
and doing some management of bandwidth medium and bandwidth heavy applications.
• Strict – The firewall blocks all dangerous and suspicious application traffic, and imposes bandwidth
control to provide optimal policies for strict security environments.
The page provides a Save Se c u r it y L e vel F i lt e r button to save your setting.
22
Application Control and Application Firewall in SonicOS 5.8
Category Filters
Using Application Control
The Category tab provides a list of application categories for selection. Y ou can select any combination of
categories and then save your selections as a category filter object with a custom name. Figure 6 shows the
screen with the description of the IM category displayed.
Figure 6 Category Tab
Application Filters
Y ou can hover y our mouse pointer ov er each category in the list to see a description of it. T o create a custom
category filter object, simply type in a name for the object in the Object Name field, select one or more
categories, and click the Save Category Filter button. You will see the object name listed on the Firewall
> Match Objects page with an object type of Application Category List. This object can then be selected
when creating an Application Firewall policy.
The Application tab provides a list of applications for selection. You can control which applications are
displayed by selecting one or more application categories, threat levels, and technologies. When the
application list is reduced to a list that is focussed on your preferences, you can select the individual
Application Control and Application Firewall
21
Using Application Control
applications for your filter and then save your selections as an application filter object with a custom name.
Figure 7 shows the screen with all categories, threat levels, and technologies selected, but before any
individual applications have been chosen.
Figure 7 Application Tab
As you select the applications for your filter, they appear in the Application Group field on the right. You
can edit the list in this field by deleting individual items or b y clic king the er aser to delete all items. Figure 8
shows several applications in the Application Group field. The selected applications are also marked with
a green checkmark icon in the application list on the left side.
Figure 8 Application Group
When finished selecting the applications to include, you can type in a name for the object in the Object
Name field and click the Save Application Filter button. You will see the object name listed on the
Firewall > Match Objects page with an object type of Application List. This object can then be selected
when creating an Application Firewall policy.
22
Application Control and Application Firewall in SonicOS 5.8
Action Objects
Using Application Control
Action Objects define how the Application Firewall policy reacts to matching events. Yo u can choose a
customizable action or select one of the predefined, default actions.
The predefined actions are:
• Block SMTP Email Without Reply
• BWM High
• BWM Low
• BWM Medium
• Bypass DPI
• CFS block page
• No Action
• Packet Monitor
• Rese t / Drop
The customizable actions are:
• Block SMTP Email - Send Error Reply
• Disable Email Attachment - Add Text
• Email - Add Text
• FTP Notification Reply
• HTTP Block Page
• HTTP Redirect
• Bandwidth Management
See Tab le 3 for descriptions of these action types.
Note that only the customizable actions are available for editing in the Action Object Settings window,
shown in Figure 9. The predefined actions cannot be edited or deleted. When you create a policy, the Policy
Settings screen provides a way for you to select from the predefined actions along with any customized
actions that you have defined.
Figure 9 Action Object Settings
Application Control and Application Firewall
21
Using Application Control
Table 3 describes the available action types.
Action Type Description
Block SMTP Email Without
Reply
BWM High Manages inbound and outbound bandwidth, guarantees a
BWM Low Manages inbound and outbound bandwidth, guarantees a
BWM Medium Manages inbound and outbound bandwidth, guarantees a
Bypass DPI Bypasses Deep Packet Inspection components IPS, GAV,
CFS block page Blocks access to the Web p age and displays a pre-formatted
No Action Policies can be specified without any action. This allo ws “log
Packet Monitor Use the SonicOS Packet Monitor capability to capture the
Reset / Drop For TCP, the connection will be reset. For UDP, the packet
Table 3 Action Types
Blocks SMTP email, but to the sender it looks like email was
successfully sent.
high level of bandwidth availability defined as 90% of total
available bandwidth, allows high bandwidth usage up to a
maximum of 90% of total available bandwidth
2
priority of zero
, and enables bandwidth usage tracking. You
can view these settings and the usage in th e Action
Properties tooltip by mousing over the BWM action of a
policy on the Firewall > App Rules page.
low level of bandwidth availability defined as 20% of total
available bandwidth, allows bandwidth usage up to a
maximum of 20% of total available bandwidth
2
priority of zero
, and enables bandwidth usage tracking. Y ou
can view these settings and the usage in th e Action
Properties tooltip by mousing over the BWM action of a
policy on the Firewall > App Rules page.
medium level of bandwidth availability defined as 50% of
total available bandwidth, allows bandwidth usage up to a
maximum of 50% of total available bandwidth
2
priority of zero
, and enables bandwidth usage tracking. Y ou
can view these settings and the usage in th e Action
Properties tooltip by mousing over the BWM action of a
policy on the Firewall > App Rules page.
Anti-Spyware and Application Firewall. This action persists
for the duration of the entire connection as soon as it is
triggered. Special ha ndling is applied to FTP co ntrol
channels that are never bypassed for Application Firewall
inspection. This action supports proper handling of the FTP
data channel. Note that Bypass DPI does not stop filters that
are enabled on the Firewall Settings > SSL Control page.
‘blocked content’ page.
only” policy types.
inbound and outbound packets in the session, or if mirroring
is configured, to copy the packets to another interface. The
capture can be viewed and analyzed with Wireshark.
will be dropped.
1
; sets a
1
; sets a
1
; sets a
Predefined
or Custom
Predefined
Predefined
Predefined
Predefined
Predefined
Predefined
Predefined
Predefined
Predefined
22
Application Control and Application Firewall in SonicOS 5.8
Using Application Control
Predefined
Action Type Description
Block SMTP Email - Send
Error Reply
Disable Email Attachment Add Text
Blocks SMTP email and notifies the sender with a
customized error message.
Disables attachment inside of an email and adds customized
text.
or Custom
Custom
Custom
Email - Add Text Appends custom text at the end of the email. Custom
FTP Notification Reply Sends text back to the client over the FTP control channel
Custom
without terminating the connection.
HTTP Block Page Allows a custom HTTP block page configuration with a
Custom
choice of colors.
HTTP Redirect Provides HTTP Redirect functionality. For example, if
Custom
someone would like to redirect people to the Google Web
site, the customizable part will look like:
http://www.g oogle.com
If an HTTP Redirect is sent from Application Control to a
browser that has a form open, the infor mation in the form
will be lost.
Bandwidth Management Allows definition of bandwidth management constraints
Custom
with same semantics as Access Rule BWM policy definition.
1. Total available bandwidth is defined by the values entered for Available Interface Egress/Ingress Bandwidth when configuring
the WAN interface from the Network > Interfaces page. See “Configuring Bandwidth Management on an Interface” section on
page 40 for more information.
2. Note that while a setting of zero is the high est prio rity, priority is not used when bandwidth manageme nt is ena bled.
Application Layer Bandwidth Management
Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth
consumption by specific file types within a protocol, while allowing other file types to use unlimited
bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same
protocol. Application layer bandwidth management is supported for HTTP Client, HTTP Server, Custom,
and FTP file transfer policies. For details about policy types, see Table 1 on page 7.
For example, as an administrator you might want to limit .mp3 and executable file downloads during wo rk
hours to no more than 1 Mbps. At the same time, you w ant to allow downloads of prod uctiv e file types suc h
as .doc or .pdf up to the maximum available bandwidth, or even give the highest possible priority to
downloads of the productive content. As another example, you might want to limit bandwidth for a certain
type of peer-to-peer (P2P) traffic, but allow other types of P2P to use unlimited bandwidth. Application
layer bandwidth management allows you to create policies to do this.
Application layer bandwidth management functionality is supported with three predefined BWM actions
(High, Medium, and Low) available when adding a policy from the Firewall > App Rules page, and a
customizable Bandwidth Management type action, available when adding a new action from the Firewall >
Action Objects screen.
When configuring a Bandwidth Management action, you can select either Per Ac t io n or Pe r Po l ic y, as
shown in Figure 10. Per Action means that when you create a limit of 10 Mbps in an Action Object, and
three different policies use the Action Object, then each policy can consume up to 10 Mbps of bandwidth.
Application Control and Application Firewall
21
Using Application Control
Per P olicy means that the three pol icies combined can only use 10 Mbps. The predefined BWM High, BWM
Medium, and BWM Low actions are all Per Action. In releases previous to SonicOS 5.8, all Bandwidth
Management actions were automatically set to Per Policy, but now you have a choice.
Figure 10 Per Action or Per Policy Bandwidth Management
Note Bandwidth management policies defined with Firewall > Access Rules always have priority
Packet Monitoring
Application layer bandwidth management configuration is handled in the same way as the Ethernet
bandwidth management configuration associated with Firewall > Access Rules. However, with Application
Firewall you can specify all content type, which you cannot do with access rules.
over application layer bandwidth management policies. Thus, if an access rule bandwidth
management policy is applied to a certain connection, then an application layer bandwidth
management policy will never be applied to that connection.
When the predefined Packet Monitor action is set for a policy, SonicOS will capture or mirror the traffic
according to the settings you have configured on the System > Pack et Monitor page. The default is to create
a capture file, which you can view with Wireshark.
To customize the action, you can click Configure on the System > Packet Monitor page and select Enable
Filter based on firewall rule on the Monitor Filter tab. This works for both Application Firewall policies
and for Firewall Access Rules, and allows you to specify configuration or filtering for what to capture or
mirror. You can download the capture in different for mats and look at in a Web page, for example.
To set up mirroring, go to the Mirror tab and pick an interface to which to send the mirrored traffic in the
Mirror filtered packets to Interface (NSA platforms only) field under Local Mirroring Settings. Y ou can
also configure one of the Remote settings. This allows you to mirror the application packets to another
computer and store everything in the hard disk. For example, you could capture everyone’s MSN Instant
Messenger traffic and read the conversations.
See the SonicOS Administrator’s Guide for more infor matio n about configuring the Packet Monitor feature,
available at:
http://www.sonicwall.com/us/Support.html
22
Application Control and Application Firewall in SonicOS 5.8
Email Address Objects
Application Firewall allows the creation of custom email address lists as email address objects . You can only
use email address objects in an SMTP client policy configuration. Email address objects can represent either
individual users or the entire domain. You can also create an email address object that represents a group
by adding a list of individual addresses to the object. This provides a wa y to easily include or ex clude a group
of users when creating an SMTP client policy.
For example, you can create an email address object to represent the support g roup:
Figure 11 Email Address Object
Using Application Control
After you define the group in an email address object, you can create an SMTP client policy that includes
or excludes the group.
Application Control and Application Firewall
21
Using Application Control
In Figure 12, the settings exclude the support group from a policy that prevents executable fi les from bei ng
attached to outgoing email. You can use the email user object in either the MAIL FROM or RCPT TO fields
of the SMTP client policy. The MAIL FROM field refers to the sender of the email. The RCPT TO field
refers to the intended recipient.
Figure 12 SMTP Client Policy
Although Application Control cannot extract group members directly from Outlook Exchange or similar
applications, you can use the member lists in Outlook to create a text file that lists the group members. Then
when you create an email address object for this group, you can use the Load From File button to import
the list from your text file. Be sure that each email address is on a line by itself in the text file.
Supported Platforms
Application Control and Application Firewall are currently available in SonicOS 5.8 on the following
appliance models:
• SonicWALL NSA E8500
• SonicWALL NSA E7500
• SonicWALL NSA E6500
• SonicWALL NSA E5500
• SonicWALL NSA 5000
• SonicWALL NSA 4500
22
Application Control and Application Firewall in SonicOS 5.8
Loading...