This is a question for the Heavy App-ID users.
How do you handle the rules for normal internet browsing? My users have access to most of the internet (except for a handfull of URL catagories) I have been trying to figure out something using Application filters, but cant seem to quite hit on the right filters for an allow rule (seems like app-filters are more designed to be used in a deny rule). Are you denying traffic you dont want, then just allowing 80 and 443?
My predicessor just put in a rule allowing the app of SSL and Web-browsing, but then promply followed it up by a rule allowing 80 and 443 that catches any Apps that are idenitifyed more more percicly then just "SSL" (IE google-base, Pandora, Citrix...)
So how do you guys handle this with APP-ID?
I'd generally have 2 filters, one with 'good' and one with 'bad' apps and base everything on subcategories and technology that is accepted or should be blocked
There may be overlap, so I'd place the bad apps above the good so unwanted apps that do match positive characteristics would still be blocked
you can tune either as you go and the network evolves
on top of App-ID there's also URL filtering and Threat Prevention to consider that can block unwanted applications, even if they match all the 'good' characteristcs but fall into an unwanted URL category or carry threats
If app x that requires app y is unimportant, you can ignore this warning, it will only break (or partially break) app x
A good feature request would be to have a toggle to automatically fix dependencies which could be very handy for the 'allow everything thats not explicitly bad' aproach
I have been messing around with the good and bad apps idea, but I am getting a lot of warnings with the commits.. like "application _____ requires ____ to be allowed, but it is denied by....
Should this just be ignored?
You wouldn't like our warning list when we do a commit. It is HUGE and slightly annoying. As reaper started it would be nice to be able to toggle those off.
I have always believed in the DENY ALL allow by exception. With that at the bottom of my policies I have a DENY ALL rule that blocks anything that was not allowed above it. While it does cause a bit more policies and TLC it better controls what traffic is allowed in/out/sideways etc.
Also Applications become more apparent when you have SSL decryption enabled. For example we have to now allow web-browsing over port 443 since its 'default' port is 80.
So first I allow/block by URL categories, then I look at specific applications. i.e. there is no need to block the applications that allow file transfer if I block 'Online Storage and Backup' via URL, I don’t need to worry about all the applications that are used for this such as DropBox.
After this the Applications become less relevant until SSL decryption comes into play. Also at the top of my policies I do have Application Blocks using filters for the following: peer-to-peer, instant-messaging, and gaming.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!