Application Firewall

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

You can enable an Application Firewall and create rules to control application use. You can enable the Application Firewall independently of the Firewall rules to create rules to allow or block specific applications on the SSID.

You must enable Application Visibility on an SSID to be able to use the Application Firewall.

Application Visibility and the Application Firewall are only supported on 802.11ac Wave 2 APs. The feature is not supported on the AP120, AP320, and AP322.

Add Application Firewall Rule

To add a new application firewall rule:

Click Add New Rule.
Specify a Rule Name.
Select the rule category from the drop-down list. You can choose from one of these categories:

Messaging
Proxy
File Transfer
Networking
Web Services
Remote Access
VPN and Tunneling
Database
Network Monitoring
Collaboration
Games
Streaming Media
Mail
Social Networking

Select the Application Name.
Select the Action to take if the application is detected. You can choose to Allow, Block, or Allow and Mark.

Click Add New Rule to add new application rules above or below the current rule.

The default application firewall rule is to block all applications.

About Firewall Rules Order

Rules are processed in the configured order. When a rule match occurs, the configured action is performed and all other rules are ignored. You can select and move entries to reorder the rules.

This table describes the precedence used in the event of a conflict between a firewall rule (layer 3) and application rule (layer 7).

Firewall Rule (Layer 3)	Application Firewall Rule (Layer 7)	Final Action
Deny	Any	Deny
Allow	Deny	Deny
Allow	Allow	Allow
Allow	No Match	Allow
No Match	Deny	Deny
No Match	Allow	Allow
No Match	No Match	Default

This table describes the precedence used in the event of a conflict between marking rules:

Firewall Rule (Layer 3)	Application Firewall Rule (Layer 7)	Final Action
Allow and Mark	Allow and Mark	Allow with Application L7 marking
Allow and Mark	Allow	Allow with Firewall L3 marking
Allow and Mark	No Match	Allow with Firewall L3 marking
No Match	Allow and Mark	Allow with Application L7 marking
No Match	No Match	Default marking

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.