Tip of the Week - Application Control Best Practices

Valeri_Loukine · ‎2019-01-07

Working with Application Control Software Blade can be challenging sometimes. How to build an effective AC policy rules? What categories should be blocked unconditionally? How to deal with unknown applications? What about HTTPs inspection, is that required or not?

These and many other questions are answered in Best Practices - Application Control SecureKnowledge article.

Vladimir · ‎2019-01-07

Valeri Loukine‌,

Can we get a definitive answer on where "Any Recognized" is now?

It is explicitly mentioned in this current SK:

Setting Your Policy for Unknown Traffic

"Unknown traffic" is non-HTTP traffic that does not match anything in your current application database. Logs for unknown traffic should be examined carefully to understand what is behind them. Traffic that results in such a log could be a product of a protocol that is not yet supported, anonymized traffic which uses a proprietary protocol, or even a mis-detected supported protocol or application.

As the options listed have either security or connectivity concerns (often both), report any missing protocol or misdetection directly to the Application Control team. In general, once the unknown traffic has been inspected and categorized correctly, it is recommended you block such traffic facing the Internet and continue to monitor internal traffic.

Note: Unknown traffic will be matched on rules containing "Any Recognized" in addition to specific rules.

But it is not available in R80.10 and R80.20 and I am not sure about future releases.

Additionally, the Note above does not seem to make sense. It is either "Unknown" or "Recognized".

Thank you,

Vladimir

Valeri_Loukine · ‎2019-01-09

Let me look into that