Why permitiing web-brosing is required while permitting custom http-based apps?

Showing results for 
Search instead for 
Did you mean: 

Why permitiing web-brosing is required while permitting custom http-based apps?

L3 Networker


I was testing custom http based apps, and in this context i created a custom app based on a signature in the host field of the http header. The problem is that it function properly only if i permit the app web-brosing in the same rule. By logging at the begining and at the end of the session i noticed that whene session starts, the traffic was identified as web brosing, and then it switches to be identified as the custom app. Also whene i dont permit web-brosing, the traffic will be dropped and the firewall is no longer able to identifie the custom app. So is it required to permit web-brosing to get this kind off apps to work, it is not souhaitable in my case, so is there any solution to this problem?

Thank you all.


L4 Transporter

The web-browsing application essentially represents the basic HTTP functionality. It is required in order for the system to further decode and process HTTP requests. Without allowing the traffic to be processed by the HTTP decoder, we cannot look further for other HTTP-based applications. This is why allowing the web-browsing application is a requirement for other HTTP-based applications.

If you can provide some more detail about the policy you are trying to implement, we may be able to come up with a solution through creative rule ordering, src/dst controls or some other combination.


Thank you Mike for your fast response.

In my case, i'am triying to create a rule in wich i permit only the custom http based app. The pupose is to use this functionality as the onlu filtering criteria and to take out the src/dst ip addresses.

The rule will look like this :

src-zone-inetrnet src-add-any dst-zone-intranet dst-add-any custom-app permit

So if we allow the web-brosing app in addition to the custom app, this will allow all http traffic coming from internet to go throw the firewall, and this is not what we try to do.

So if there is any soultion to make this work withtout being compelled to allow web-browsing, that will be great.

You might try adding a URL filtering profile to that security policy rule that only allows access to that web server or domain so the web-browsing application doesn't allow access to other URLs.


Thanks, for yours answers.

We'll try this today. We'll post the result.

I had a dream ........ A firewall without any IP rules :smileycool:

Adding URL filtering is one more layer, but you are still not addressing the custom app question.  I have a similar scenerio that I would like to allow only a specific app, but it requires web-browsing.  Then why even use the specific app in the policy rule?

I understand the reason why web-browsing is needed to further decode to identify the specif app, but when adding the app-id's in the policy together (which I believe they are OR'd), the web-browsing app over-rides the specific app that you want to ONLY allow.....meaing its useless to add a specific app that requires web-browsing in order to work.

Today the best practice is to use URL filtering and Web-app policies together for optimal coverage.  As you mentioned - web-browsing is basically the http decoder, so http is a prerequisite for identifying lower-layer apps.

There will be some future enhancements that will allow you to use only the specific app-id's without requiring the web-browsing application.



Any progress on these enhancements? Have you targeted a specific release milestone?


If you wish to discuss product roadmaps and the expected release date for new features you will need to talk to your sales team.

This forum is not the proper venue for this sort of discussion.

Thank you,


+1.  Would be nice to have a AND - OR qualifiers.

Also, not everyone subscribes to the URL filtering service.  AFAIK, there is not yet a generic URL filtering methodology (user controlled only without subscription requirement).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!