Policy Guidelines for Application Control

To monitor or block application use, you must enable Application Control for all policies that handle the application traffic. We do not recommend that you apply the Global Application Control action to every policy. Because of the performance implications, you don’t want — or need — to enable Application Control for every policy.

We recommend that you enable Application Control for these types of policies:

It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the policy handles. Some examples of these types of policies include:

It is not usually necessary to enable Application Control for policies that are restricted by port and protocol and that allow only a known service. Some examples of these types of policies include:

Each policy can allow only the traffic that matches the protocol for that policy. For example, HTTP application traffic is never allowed through the DNS proxy. To effectively monitor or block an application, you must consider all protocols used by that application, and enable Application Control for all policies that handle those protocols.

To block evasive applications that dynamically use different ports, you must enable Application Control to block those applications in all of your policies. For more information about evasive applications, see Manage Evasive Applications.

For some examples of how to use Application Control with policies, see Application Control Policy Examples.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base