Creating Application Control and URL Filtering Rules

To learn which applications and categories have a high risk, look through the Application Wiki in the Access Tools part of the Security Policies view. Find ideas for applications and categories to include in your Policy.

To see an overview of your Access Control Policy and traffic, see the Access Control view in Logs & Monitor > New Tab > Views .

Best Practice - Do not use Application Control and URL Filtering in the same rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. , this may lead to wrong rule matching. Use Application Control and URL Filtering in separate rules. This makes sure that the URL Filtering rule is used as soon as the category is identified. For more information, see sk174045.

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?

To monitor all Facebook application traffic:

In the Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. view of SmartConsole , go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.
Click one of the Add rule toolbar buttons to add the rule in the position that you choose in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. . The first rule matched is applied.
Create a rule that includes these components:
Name - Give the rule a name, such as Monitor Facebook .
Source - Keep it as Any so that it applies to all traffic from the organization.
Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.
Services & Applications - Click the plus sign to open the Application viewer. Add the Facebook application to the rule:

Note - Applications are matched by default on their Recommended services. You can change this (see Configuring Matching for an Allowed Application). Each service runs on a specific port. The recommended Web Browsing Services are http , https , HTTP_proxy , and HTTPS_proxy .

Start to type "face" in the Search field. In the Available list, see the Facebook application.
Click each item to see more details in the description pane.
Select the items to add to the rule.

The rule allows all Facebook traffic but logs it. You can see the logs in the Logs & Monitor view, in the Logs tab. To monitor how people use Facebook in your organization, see the Access Control view ( SmartEvent Server required).

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

In the Security Policies view of SmartConsole , go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.
Create a rule that includes these components:
Services & Applications - Select the Pornography category.
Action - Drop , and a UserCheck Blocked Message - Access Control The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.
Track - Log

Note - This Rule Base example contains only those columns that are applicable to this subject.

Name	Source	Destination	Services & Applications	Action	Track	Install On
Block Porn	Any	Internet	Pornography (category)	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any , also blocks traffic to and from the Captive Portal .

Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.

If you do not want to block an application or category, there are different ways to set limits for employee access:

Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
Add one or more Time objects to a rule to make it active only during specified times.

The example rule below:

Allows access to streaming media during non-peak business hours only.
Limits the upload throughput for streaming media in the company to 1 Gbps.

To create a rule that allows streaming media with time and bandwidth limits:

In the Security Policies view of SmartConsole , go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.
Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base .
Create a rule that includes these components:
Services & Applications - Media Streams category.

Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing Services : http , https , HTTP_proxy , and HTTPS_proxy . To change this, see Services & Applications Column.

Name	Source	Destination	Services and Applications	Action	Track	Install On	Time
Limit Streaming Media	Any	Internet	Media Streams (Category)	Accept Upload_1Gbps	Log	All	Off-Work

Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?

In this example:

You have already created an Access Role Identified_Users that represents all identified users in the organization. You can use this to allow access to applications only for users who are identified on the Security Gateway .
You want to allow access to the Radmin Remote Access tool for all identified users.
You want to block all other Remote Access tools for everyone within your organization. You also want to block any other application that can establish remote connections or remote control.

To do this, add two new rules to the Rule Base :

Create a rule and include these components:
- Source - The Identified_Users access role
- Destination - Internet
- Services & Applications - Radmin
- Action - Accept
Create another rule below and include these components:
- Source - Any
- Destination - Internet
- Services & Applications - The category: Remote Administration
- Action - Block

Name	Source	Destination	Services & Applications	Action	Track	Install On
Allow Radmin to Identified Users	Identified_Users	Internet	Radmin	Allow	Log	All
Block other Remote Admins	Any	Internet	Remote Administration	Block	Log	All

Notes on these rules: :

Because the rule that allows Radmin is above the rule that blocks other Remote Administration tools, it is matched first.
The Source of the first rule is the Identified_Users access role. If you use an access role that represents the Technical Support department, then only users from the technical support department are allowed to use Radmin.
Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services : http , https , HTTP_proxy , and HTTPS_proxy . To change this see Changing Services for Applications and Categories.

For more about Access Roles and Identity Awareness , see the R81 Identity Awareness Administration Guide.

Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application Database but there is also a custom defined site that must be included. How can I do this?

You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway , you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

You have already created

An Access Role that represents all identified users in the organization (Identified_Users).
A custom application for a site named FreeMovies.

In the Object Explorer , click New > More > Custom Application/Site > Application/Site Group .
Give the group a name. For example, Liability_Sites.
Click + to add the group members:
- Search for and add the custom application FreeMovies.
- Select Categories , and add the ones you want to block (for example Anonymizer, Critical Risk, and Gambling)
- Click Close
Click OK .

You can now use the Liability_Sites group in the Access Control Rule Base .

In the Security Policies view of SmartConsole , go to the Access Control Policy.

Source - The Identified_Users access role
Destination - Internet
Services & Applications - Liability_Sites
Action - Drop

Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web Browsing Services : http , https , HTTP_proxy , and HTTPS_proxy . To change this see Changing Services for Applications and Categories.