cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Application Control in R77

I understand in R77, traffic will hit firewall rule first and after that application control rules applies.

If i would like a group of ip addresses hit firewall rule then hit application control rules(allow these ip address to access some domain objects, for instance *.google.com)

for the rest of the internal ip addressed, only need to hit firewall rule.

Is it possible and How do i set it up?

Thanks in advance

Cathy

0 Kudos
8 Replies
Admin
Admin

Re: Application Control in R77

The source for all the rules you create should be in terms of the hosts you wish to subject to Application Control.

In R77.x, the implicit (last) rule is an Allow rule (not a Drop rule like in the Firewall policy).

Connections accepted by this implicit accept rule should remain in the SecureXL path.

At least that's how it appears to work per the following SK: Accelerating traffic with the Security Acceleration Module (SAM) while also using non-accelerated bl... 

0 Kudos

Re: Application Control in R77

Thanks Dameon.  I had a look a the SK, "Configure a group of networks under the policy rule to be scanned by the Application Control and URL Filtering Blade. "  how do I set up the firewall rule to configure a group of ip addresse to be scanned by the application control and url Filtering?". Currently, I have 60  firewall rules, the implicit firewall rule is deny any any.

0 Kudos
Admin
Admin

Re: Application Control in R77

Basically what the SK is saying is, for the pictured example:

  • Networks/Hosts mentioned in the group Groups_Networks_XYZ will be subject to Application Control and will flow through the Medium Path
  • Anything NOT listed in Groups_Networks_XYZ will be matched by the explicit rule, and thus remain in the SecureXL path

The main thing is to make sure no explicit Application Control rules match the traffic you want to remain in the SecureXL path.

In other words, make sure your Application Control rulebase makes no mention of the hosts who's traffic you want to remain in the SecureXL path.

If you don't want specific hosts to reach the Internet, they should be blocked from doing so in the Firewall rulebase.

Admin
Admin

Re: Application Control in R77

Create a group that includes the host/networks you wish to subject to Application Control.

Ensure that is listed as the Source for all of the Application Control rules you wish to create.

This will ensure that only the hosts you explicitly list will be subject to Application Control (and thus be in Medium Path)

All other sources will not be subject to Application Control and should remain in the SecureXL path, if eligible. 

Note this assumes that the relevant hosts/networks are permitted to access the Internet via the Firewall rulebase, which must accept the traffic before Application Control even sees it.

Re: Application Control in R77

Hi Dameon,

Thanks for your help. the application control works perfectly.

Just one more question re the regular expression

if I would like to allow http and https traffic to example.com and all subdomains of example.com, can I use wildcard

*.example.com in the application control policy?

0 Kudos
Admin
Admin

Re: Application Control in R77

For that to work correctly, you will probably need to have HTTPS Inspection enabled.

You could implement a version of this: Regex for TLD Blocks but instead use the full domain instead of the TLD.

It's possible that Categorize HTTPS Sites may work depending on the site with a custom signature.

See: Signature Tool for custom Application Control and URL Filtering applications 

0 Kudos

Re: Application Control in R77

thanks Dameon. my concern is if I enable https inspection, will it impact the checkpoint performance?

if the https traffic is non-browser traffic. will the https inspection still work?

0 Kudos
Admin
Admin

Re: Application Control in R77

HTTPS Inspection has a performance impact for sure.

It may also impact non-browser HTTPS Traffic, which you can create exceptions for and/or enable Probe Bypass for.

0 Kudos