topic App-ID for general internet browsing in General Topics

App-ID for general internet browsing

Kaje — Thu, 07 Sep 2017 12:19:31 GMT

This is a question for the Heavy App-ID users.

How do you handle the rules for normal internet browsing? My users have access to most of the internet (except for a handfull of URL catagories) I have been trying to figure out something using Application filters, but cant seem to quite hit on the right filters for an allow rule (seems like app-filters are more designed to be used in a deny rule). Are you denying traffic you dont want, then just allowing 80 and 443?

My predicessor just put in a rule allowing the app of SSL and Web-browsing, but then promply followed it up by a rule allowing 80 and 443 that catches any Apps that are idenitifyed more more percicly then just "SSL" (IE google-base, Pandora, Citrix...)

So how do you guys handle this with APP-ID?

Re: App-ID for general internet browsing

reaper — Thu, 07 Sep 2017 12:39:07 GMT

I'd generally have 2 filters, one with 'good' and one with 'bad' apps and base everything on subcategories and technology that is accepted or should be blocked

There may be overlap, so I'd place the bad apps above the good so unwanted apps that do match positive characteristics would still be blocked

you can tune either as you go and the network evolves

on top of App-ID there's also URL filtering and Threat Prevention to consider that can block unwanted applications, even if they match all the 'good' characteristcs but fall into an unwanted URL category or carry threats

Re: App-ID for general internet browsing

Kaje — Thu, 07 Sep 2017 13:14:45 GMT

I have been messing around with the good and bad apps idea, but I am getting a lot of warnings with the commits.. like "application _____ requires ____ to be allowed, but it is denied by....

Should this just be ignored?

Re: App-ID for general internet browsing

reaper — Thu, 07 Sep 2017 13:23:22 GMT

If app x that requires app y is unimportant, you can ignore this warning, it will only break (or partially break) app x

A good feature request would be to have a toggle to automatically fix dependencies which could be very handy for the 'allow everything thats not explicitly bad' aproach

Re: App-ID for general internet browsing

Wald — Thu, 07 Sep 2017 16:05:03 GMT

@Kaje wrote:
I have been messing around with the good and bad apps idea, but I am getting a lot of warnings with the commits.. like "application _____ requires ____ to be allowed, but it is denied by....
Should this just be ignored?

You wouldn't like our warning list when we do a commit. It is HUGE and slightly annoying. As reaper started it would be nice to be able to toggle those off.

Re: App-ID for general internet browsing

OtakarKlier — Thu, 07 Sep 2017 16:46:22 GMT

Hello,

I have always believed in the DENY ALL allow by exception. With that at the bottom of my policies I have a DENY ALL rule that blocks anything that was not allowed above it. While it does cause a bit more policies and TLC it better controls what traffic is allowed in/out/sideways etc.

Also Applications become more apparent when you have SSL decryption enabled. For example we have to now allow web-browsing over port 443 since its 'default' port is 80.

So first I allow/block by URL categories, then I look at specific applications. i.e. there is no need to block the applications that allow file transfer if I block 'Online Storage and Backup' via URL, I don’t need to worry about all the applications that are used for this such as DropBox.

After this the Applications become less relevant until SSL decryption comes into play. Also at the top of my policies I do have Application Blocks using filters for the following: peer-to-peer, instant-messaging, and gaming.

Hope that helps.

Re: App-ID for general internet browsing

AlexG — Fri, 08 Sep 2017 11:49:51 GMT

Hi @OtakarKlier are you able to show some screen shots to get an visual on your setup ?

Cheers

Re: App-ID for general internet browsing

OtakarKlier — Fri, 08 Sep 2017 13:28:46 GMT

Hello @AlexG,

Is there a particular area of the setup you would like a screen shot from? I think i mentioned a few areas and want to make sure I provide you with the correct ones.

Cheers!