Configuring Application Firewalls

Applications can breach IP and port-based security policies by accessing standard HTTP ports 80 and 443 to tunnel non-HTTP traffic or by using ports other than 80 or 443 for HTTP traffic. The application firewall screens traffic based on application rather than on IP or port address. The implementation of both application firewall and network firewall policies contributes to the full security of the network.

Use the following procedure to create, view, and modify the application firewall for your device.

  1. Select Configure>Security>Application FW.

    The Application Firewall page displays existing application rule sets in the upper pane. Select a rule set to display its rules in the lower pane. Table 118 explains the content of this page. Secondary pages allow you to create or edit individual rules and rule sets for the firewall.

  2. Click one:
    • Add—Adds a new rule set or a new rule configuration to the firewall. To add a rule set configuration, click Add from the upper pane and enter the information specified in Table 119. To add a rule configuration, click Add from the lower pane or from the Add Rule Set page, and enter the information specified in Table 120.
    • Edit—Edits the selected rule set or rule configuration. For a rule set configuration, enter information as specified in Table 119. For a rule configuration, enter information as specified in Table 120.
    • Delete—Deletes the selected rule set or rule configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 118: Application Firewall Configuration Page

Field

Function

Rule Set

Name

Specifies the name of an existing application rule set configured for the device.

Select a rule set to display its associated rules in the lower pane.

Default Rule

Specifies the rule to be used when an application does not match the rule criteria defined for the application firewall.

Rule

Specifies the name of each rule associated with the rule set. If the field contains more than two rule names, hover over the field to display the names of all the rules in a tooltip.

Rules in Selected Rule-Set

Rule Name

Displays the name of each rule contained in the selected rule set.

Match Dynamic Applications

Specifies one or more application signatures to be used as match criteria for the associated rule.

Action

Specifies the action to be taken if traffic matches one of the specified Match Dynamic Applications.

  • permit—Permits traffic that matches this rule.
  • deny—Denies traffic that matches this rule.

Table 119: Add/Edit Rule Set Configuration Details

Field

Function

Action

Rule Set Name

Specifies the rule set name

Enter a rule set name.

When editing a rule set, the name cannot be changed.

Default Rule

Specifies the action to be taken if traffic does not match any rules in the rule set.

  • permit—Permits all traffic that does not match any rule.
  • deny—Denies all traffic that does not match any rule.

Select permit or deny.

Table 120: Add/Edit Rule Configuration Details

Field

Function

Action

Rule Name

Specifies the name of the rule.

Enter a rule name.

When editing a selected rule, the name cannot be changed.

Rule Action

Specifies the action to be taken when traffic matches the dynamic application signature for this rule.

  • permit—Permits traffic that matches this rule.
  • deny—Denies traffic that matches this rule.

Select permit or deny.

Match Dynamic Application

Applications

Displays the applications available on your device.

To add applications to the match criteria:

  • Select one or more applications in the Applications list. (Use the Ctrl key to select more than one item.)
  • Click the right arrow to move the selections to the Matched list.

Matched

The applications selected as match criteria for the rule.

To delete applications from the match criteria:

  • Select one or more applications in the Matched list. (Use the Ctrl key to select more than one item.)
  • Click the left arrow to return the selections to the Applications list.

Search

A search mechanism to display a specific application at the top of the Applications list.

Enter an application name and click Search. The list is displayed again with the specified application at the top of the list.