Policy Guidelines for Application Control
To monitor or block application use, you must enable Application Control for all policies that handle the application traffic. We do not recommend that you apply the Global Application Control action to every policy. Because of the performance implications, you don’t want — or need — to enable Application Control for every policy.
We recommend that you enable Application Control for these types of policies:
- Any outbound policy that handles HTTP or HTTPS traffic
- VPN policies that use 0.0.0.0/0 routes (default-route VPNs)
- Any outbound policy if you are not sure how the policy is used
- Policies that use the ‘Any’ protocol
- Policies that use an ‘Any-*’ alias, for example Allow ‘Any-Trusted’ to ‘Any-External’, on a specific port/protocol
If you enable Application Control for an HTTPS proxy policy, you must also enable Content Inspection in the HTTPS proxy action. This is required for Application Control to detect applications over an HTTPS connection. For more information, see HTTPS-Proxy: Content Inspection. Application Control scanning of HTTPS content is not supported on XTM 21, 21-W, 22, 22-W, 23, and 23-W devices.
It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the policy handles. Some examples of these types of policies include:
- POS systems
- Intranet web applications
- Internal databases and traffic in a DMZ
It is not usually necessary to enable Application Control for policies that are restricted by port and protocol and that allow only a known service. Some examples of these types of policies include:
- Default WatchGuard policies
- DNS traffic
- VoIP - SIP and H.323 application layer gateways
Each policy can allow only the traffic that matches the protocol for that policy. For example, HTTP application traffic is never allowed through the DNS proxy. To effectively monitor or block an application, you must consider all protocols used by that application, and enable Application Control for all policies that handle those protocols.
To block evasive applications that dynamically use different ports, you must enable Application Control to block those applications in all of your policies. For more information about evasive applications, see Manage Evasive Applications.
For some examples of how to use Application Control with policies, see Application Control Policy Examples.