How to Create an Application Filter to Block High-Risk Applications

Printer Friendly Page

Overview

This document demonstrates how to create a security policy to deny high-risk (5) file-sharing applications that leverage peer-to-peer technology under the general internet category.

Steps

  1. Under the Policies Tab, select "Security" and then add a security rule.
  2. Enter the necessary information under the General, Source, User and Destination tabs, and select the "Application" tab.
  3. Select "Add." Scroll to the bottom of the drop-down and select "Application Filter."
    Screen Shot 2013-07-29 at 3.11.06 PM.png
  4. Name the Application Filter that you want to create.
  5. Since we are interested in high-risk (5) file-sharing applications that use peer-to-peer technology, follow these instructions:
    • Under Category column click to highlight general-internet
    • Select file-sharing under Subcategory
    • Technology will be peer-to-peer
    • Risk is 5
      Screen Shot 2013-07-29 at 3.13.04 PM.png
  6. Select "OK" to save. The Application Filter will appear in the rule.
  7. Complete the rest of the Security Policy rule. It is recommended to leave Service/Url Category as 'Any'. Action is then set to 'Deny'.

    Application filter 5.JPG

By following the above steps, traffic through the firewall will be categorized by the application filter.

Note: Application filters are dynamic. If a built-in category is chosen, a group can be made that is usable in rules. This will include everything that matches that category. As applications are re-categorized or as new ones are added to that category, they will be added or removed from the filter dynamically. This can potentially lead to issues because re-categorization can cause applications that were previously allowed to now be disallowed, and vice versa. With an application group, though, applications are being grouped in the same manner as a service-group or address-group. When more applications for allow or block are added, they will need to be added to the application group manually.

See Also

For an in-depth understanding of application dependencies in order to effectively apply the High-Risk Apps to a security policy, refer to the following document:

How to Check if an Application Needs to have Explicitly Allowed Dependency Apps

owner: sodhegba

Comments

One thing I noticed if you have another policy that has applications which are dependent upon the ones you're filtering the policy will not work. You must remove them from the policy.

I believe you could also just move your new policy up above the policy that is overriding. highlight your new policy and click the "Move Up" till you are above the old policy.

Security policies determine whether to block or allow a new network session based on traffic attributes such as the source and destination security zones, the source and destination addresses, and the application and a service. Remember that the Security rulebase is parsed in a top-down approach and with application filters applied to a policy, that will not be the only criteria that is matched in the policy for the traffic to be denied. Considering  WaterStreet suggestion above, moving those policies that depend on those high risk application up in the rulebase is a good idea.