Monitoring Application Firewalls

Purpose

Applications can breach IP and port-based security policies by accessing standard HTTP ports 80 and 443 to tunnel non-HTTP traffic or by using ports other than 80 or 443 for HTTP traffic. An application firewall screens traffic based on an application signature rather than IP or port address. The implementation of both application firewall and network firewall policies contributes to the full security of the network.

Action

To monitor firewall rule sets and associated applications, select Monitor>Security>Application FW.

The upper pane of the Application Firewall Monitoring page provides a list of the rule sets currently configured on your device. When you select a rule set in the upper pane, the lower panes display the rules and counters associated with that rule set. Each rule entry identifies dynamic application signatures for match criteria and the action to be taken with an application signature match.

The counter pane maintains current statistics about the actions taken for the application signatures that are encountered. The Clear Counters button resets all counters to zero and begins counting again. After the number of seconds specified in the Refresh Interval has expired, the new counter values are displayed.

Meaning

Table 230 summarizes key output fields in the Application Firewall Monitoring page.

Table 230: Application Firewall Monitoring Page

Field

Value

Further Information

Rule Set

Name

Displays the rule sets configured for the device.

Select a rule set to display its associated rules and counters in the lower panes.

Default Rule

Displays the action taken when traffic does not match any of the associated rules.

  • permit—Permits all traffic that does not match any rule in the rule set.
  • deny—Denies all traffic that does not match any rule in the rule set.

Rules

Displays the rule names associated with the rule set.

Rules in Selected Rule Set

Rule Name

Lists the names of the rules included in the rule set.

Match Dynamic Applications

Displays the dynamic applications used as match criteria for the associated rule.

Action

Displays the action to be taken if the traffic matches the associated rule’s match criteria.

  • permit—Permits traffic that matches the rule.
  • deny—Denies traffic that matches the rule.

Counters for Selected Rule-Set

Refresh interval (sec)

Specifies the interval in seconds when counter values are refreshed.

Rules inside the rule-set

Specifies the number of rules contained in the selected rule set.

Sessions with AppID Pending

Counts the sessions where the application is not apparent or has not yet been determined.

Sessions Hit Default Rule

Counts the sessions that do not match any rules in this rule set and the default action is taken.

Sessions Permit by rule-name

Counts the sessions that match each rule.

A separate counter is listed for each rule in the rule set.