Rule to allow an specific application only

Hi Robert,

you will need both web and application rules or you can create a fqdn and use that as a destination.

Ian

It's posible to post an example with images? (ex. WhatsApp)

Hi Robert,

I have setup a rule at the bottom of my rule table, yours would be at the top so that the rule is used.

Please see the following screenshots. I have also but not required included match known users. I use clientless groups to manage access to various rules and networks.

The first screenshot shows the selection of the whatsapp applications. There is a screenshot missing and that is the one used to setup the application rule.

I hope you find this helpful?

Ian

FQDN * .whatsapp.net and web policy added to the rule.

I just need a few days to try it.

But I do not find this logical at all.

I think it's complicated to allow a specific application that is also already recognized by the firewall ...

Hi Robert,

you have to create a application rule so that the already identified application is the only one you choose.

Ian

Hi, 

In Destination Network what you have inside "Whatsapp test". All the IP of whatsapp or fqdn. Can you share with us the information that its inside. 

Thanks. 

 Hello All

In this case when you use Application Filter and allow one application it automaticaly allowes all couse Applications filtering rule have default action Allow (I test it on TeamViewer).

If unknown App is trying to access internet to teamviewer's FQDNs Firewall will allow this connection by default. Another if with some reason someone changes your DNS records for firewall or give it wrong addreses it will allow that connection... 

So if it's possible to create applications filtering rule so that it's default action was Deny all.

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

The application filter is better suited to denying applications rather allowing them (and denying everything else).

What would be better is if you know the domains that the application uses, create a firewall rule that allows access to those domains only, with only the ports it needs. Create a second later firewall rule that blocks all other destinations. Don't use the application filter. Run the application and monitor your firewall drop logs to see if there is additional things you may need to add to your allow rule.

Thanks for replay but what about default action and why it needed if i cannot use it?? and if it's possible to create rule with default action deny all. and if its hidden feature and how can i unlock it?

Some of that is historical.  It uses to be settable but we discovered there is no good use case for it.  For a long time you could still create rules with it by using Deny All as a template when you created a new filter and we removed that (I did not know that, I just found that out).  Basically it doesn't do what people think it does, so we removed the ability to configure it.  The only reason it wasn't removed from the UI entirely is because Deny All uses it.  But even Deny All doesn't do what people think it does.