Application Control Policy Examples

You can use the Global Application Control action with other Application Control actions to allow or block different applications based on the time of day, or based on the user name or user group. First, create Application Control actions that block or allow different sets of applications. Then, apply different Application Control actions to different policies.

Each of the examples enable Application Control actions for a single type of policy. If your configuration includes other policy types, such as TCP-UDP, or Outgoing, you can use the same steps to set up a two-tiered Application Control configuration for those policies. The policies that you must apply an Application Control action to depend on which policies exist in your configuration, and which applications you want to block. For example, if you want to block an application that you know uses FTP, you must enable the Application Control action for the FTP policy.

To create an exception for a remote host, create a policy by domain name to allow the domain. For more information, see About Policies by Domain Name (FQDN).

For recommendations on which types of policies to configure for Application Control, see Policy Guidelines for Application Control.

Allow an Application For a Group of Users

If the Global Application Control action blocks an application, you can create a separate Application Control action to allow that same application for a department or other user group. For example, if you want to block the use of MSN instant messaging for most users, but you want to allow this application for the people in the Sales department, you can create different Application Control actions and policies to get this result.

If you already have an HTTP packet filter policy that applies to all users, you can use these steps to allow different applications for the Sales department.

  1. Configure the Global Application Control action to block MSN instant messaging, and any other applications you do not want to allow.
  2. Apply the Global Application Control action to the existing HTTP packet filter policy.
  3. Create a new Application Control action to allow MSN instant messaging. For example, you could call this action, AllowIM. Configure this action to use the Global action when the application does not match.
  4. Create an HTTP policy for the users in the Sales department. For example, you could call this policy HTTP-Sales. For information about how to create a policy for a group of users, see Use Users and Groups in Policies.
  5. Apply the AllowIM Application Control action to the HTTP-Sales policy.
  6. Enable logging for the HTTP and HTTP-Sales policies.
    You must enable logging to see information about Application Control in the log files and reports.

In this example, the two resulting HTTP policies could look like this:

Policy: HTTP-Sales

HTTP connections are: Allowed
From: Sales To: Any-External
Application Control: AllowIM

Policy: HTTP

HTTP connections are: Allowed
From: Any-Trusted To: Any-External
Application Control: Global

The AllowIM Application Control action applied to the HTTP-Sales policy acts as an exception to the Global Application Control action. The users in the Sales group can use MSN instant messaging, but cannot use any other applications blocked by the Global Application Control action.

If this device configuration included other policies, such as  HTTP-Proxy, TCP-UDP, or Outgoing, that could be used for IM traffic, you can repeat the steps above to set up a two-tiered Application Control configuration for other policies.

Block Applications During Business Hours

You can use Application Control with policies to block different applications based on the time of day. For example, you might want to block the use of games during business hours. To block applications during certain hours, you can use Application Control with policies that have an operating schedule.

If you already have an HTTP-Proxy policy that does not have an operating schedule, use these steps to add a new policy and Application Control action to block applications during business hours.

  1. Configure the Global Application Control action to block applications you want to always block.
  2. Apply the Global Application Control action to the existing HTTP-Proxy policy.
  3. Create a schedule called Business-Hours that defines the business hours. For more information about schedules, see Create Schedules for Firebox Actions.
  4. Create a new HTTP-Proxy policy that uses the Business-Hours schedule you configured. For example, you could call the new policy HTTP-Proxy-Business. For more information about how to set the schedule for a policy, see Set an Operating Schedule.
  5. Create an Application Control action that blocks the applications you want to block during business hours. For example, you could call this action Business.
  6. Apply the Business Application Control action to the HTTP-Proxy-Business policy.
  7. Enable logging for the HTTP-Proxy and HTTP-Proxy-Business policies.
    You must enable logging to see information about Application Control in the log files and reports.

In this example, the two resulting policies could look like this:

Policy: HTTP-Proxy-Business

HTTP connections are: Allowed
From: Sales To: Any-External
Application Control: Business

Policy: HTTP-Proxy

HTTP connections are: Allowed
From: Any-Trusted To: Any-External
Application Control: Global

The Business Application Control action in the HTTP-Proxy-Business policy blocks games only during business hours. All other applications in the Global Application Control action are blocked at all times of day.

If this device configuration included other policies, such as  HTTP, TCP-UDP, or Outgoing, that might be used for games traffic, you can repeat the steps above to set up a two-tiered Application Control configuration for other policies.

Application Control and Policy Precedence

When you apply different Application Control actions to multiple policies of the same type, it is helpful to understand policy precedence, so you know which policies apply to which types of traffic. Firebox automatically sorts policies from the most detailed to the most general. The first rule in the list to match the conditions of the packet is applied to the packet.

For more information about policy precedence, see About Policy Precedence.

See Also

Configure Application Control Actions