WatchGuard recommends you enable Application Control for policies that handle outbound traffic from your network. You do not need to enable Application Control on policies for Branch Office VPNs to trusted sites, or for traffic between trusted hosts on your internal network.
When you configure the Application Control action, be very specific about which applications you choose to block. If you block by category, you may unintentionally block applications that you need for your network.
Application Control and WebBlocker
If you configure an HTTP or HTTPS-proxy policy with both WebBlocker and Application Control enabled, both services will apply to each connection. If WebBlocker allows a site but Application Control denies it, the site will be denied.
Application Control may not correctly identify HTTPS applications unless you enable content inspection in the HTTPS-proxy action.
Common Application Control Problems
These are common types of problems you might encounter with Application Control, and the solutions that most often resolve these problems.
When you configure Application Control on your Firebox device, you will see all applications which are in the signature set your device currently uses. If you do not see the application you want to block, you can confirm whether WatchGuard has a signature with the Application Control Portal.
If your device does not list an application which appears on the Application Control Portal, confirm that your device is configured to automatically download signature updates. For more information on this, see Configure the Application Control Update Server.
There are several possible reasons users may still be able to access an application:
- The traffic uses a policy which is not configured for Application Control. Confirm that there is no policy for outbound traffic which does not have Application Control enabled.
- The user accessed the application over HTTPS. Make sure that you use the HTTPS or a TCP-UDP Proxy to handle HTTPS traffic, and the HTTPS proxy action has content inspection enabled.
- The Firebox device has an outdated version of the Application Control signature set. Confirm that your device is configured to automatically download signature updates. For more information, see Configure the Application Control Update Server.