Understanding Application Firewall Policies
Many dynamic applications use HTTP static ports to tunnel non-HTTP traffic through the network. Such applications can permit traffic that might not be adequately controlled by standard network firewall policies, leading to a security threat. Standard policies function based on IP addresses and ports, and therefore are not effective with these dynamic applications. To avoid these security issues, an additional security control for policies was introduced that functions based on the application ID.
The security policies provide firewall security functionality by enforcing rules for the traffic, which pass through the device, is permitted or denied based on the action defined in the rules. The application firewall port in the policies provides additional security control for dynamic applications.
An application firewall provides the following features:
Permits, rejects, or denies traffic based on the application in use.
Identifies not only HTTP but also any application running on top of it, letting you properly enforce policies. For example, an application firewall rule could block HTTP traffic from Facebook but allow Web access to HTTP traffic from MS Outlook.
The application firewall policy is defined by a collection of rule sets. A rule set defines the rules that match the application ID detected, based on the application signature. After you create an application firewall policy by adding rules, you can select that policy to be the active policy on your device.
The application firewall policy identifies the application ID as an unknown application ID under the following circumstances:
No application ID matches the traffic.
The system encounters an error when identifying the application.
Application ID is not identified during failover sessions.
When the application ID is identified as unknown, the traffic is processed based on the action defined in the unknown rule in the rule set. When there is no rule defined for unknown in the rule set, the default rule is applied for unknown dynamic applications.