Contents

Policy Guidelines for Application Control

To monitor or block application use, you must enable Application Control for all policies that handle the application traffic. We do not recommend that you apply the Global Application Control action to every policy. Because of the performance implications, you don’t want — or need — to enable Application Control for every policy.

We recommend that you enable Application Control for these types of policies:

  • Any outbound policy that handles HTTP or HTTPS traffic
  • VPN policies that use 0.0.0.0/0 routes (default-route VPNs)
  • Any outbound policy if you are not sure how the policy is used
  • Policies that use the ‘Any’ protocol
  • Policies that use an ‘Any-*’ alias, for example Allow ‘Any-Trusted’ to ‘Any-External’, on a specific port/protocol

If you enable Application Control for an HTTPS proxy policy, you must also enable Content Inspection in the HTTPS proxy action. This is required for Application Control to detect applications over an HTTPS connection. For more information, see HTTPS-Proxy: Content Inspection.

It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the policy handles. Some examples of these types of policies include:

  • POS systems
  • Intranet web applications
  • Internal databases and traffic in a DMZ

It is not usually necessary to enable Application Control for policies that are restricted by port and protocol and that allow only a known service. Some examples of these types of policies include:

  • Default WatchGuard policies
  • DNS traffic
  • RDP
  • VoIP - SIP and H.323 application layer gateways

Each policy can allow only the traffic that matches the protocol for that policy. For example, HTTP application traffic is never allowed through the DNS proxy. To effectively monitor or block an application, you must consider all protocols used by that application, and enable Application Control for all policies that handle those protocols.

To block evasive applications that dynamically use different ports, you must enable Application Control to block those applications in all of your policies. For more information about evasive applications, see Manage Evasive Applications.

For some examples of how to use Application Control with policies, see Application Control Policy Examples.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search