Rule to allow an specific application only

 Hello All

In this case when you use Application Filter and allow one application it automaticaly allowes all couse Applications filtering rule have default action Allow (I test it on TeamViewer).

If unknown App is trying to access internet to teamviewer's FQDNs Firewall will allow this connection by default. Another if with some reason someone changes your DNS records for firewall or give it wrong addreses it will allow that connection... 

So if it's possible to create applications filtering rule so that it's default action was Deny all.

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

The application filter is better suited to denying applications rather allowing them (and denying everything else).

What would be better is if you know the domains that the application uses, create a firewall rule that allows access to those domains only, with only the ports it needs. Create a second later firewall rule that blocks all other destinations. Don't use the application filter. Run the application and monitor your firewall drop logs to see if there is additional things you may need to add to your allow rule.

Thanks for replay but what about default action and why it needed if i cannot use it?? and if it's possible to create rule with default action deny all. and if its hidden feature and how can i unlock it?

Some of that is historical.  It uses to be settable but we discovered there is no good use case for it.  For a long time you could still create rules with it by using Deny All as a template when you created a new filter and we removed that (I did not know that, I just found that out).  Basically it doesn't do what people think it does, so we removed the ability to configure it.  The only reason it wasn't removed from the UI entirely is because Deny All uses it.  But even Deny All doesn't do what people think it does.

Hi Michael,

That's amazing to know, but I have a (dumb) question from my part.

Is there any chance we will see a easier method to create Allow/Deny rules directly based on the application on the future releases (v19+)? So people could start with the default DROP All Rule and then allow only the needed applications, such thing that you can do right now with others NGFW vendors.

I know you can do something like this right now on XG to allow a application, but It's different, you would need to still select the desired port and the destination network, and then you need to create a template for the desired application and if needed, a Web Policy. And as you also said before, the current Deny All for the Application Classification on XG only block known applications for XG, which could leave holes for unknown traffic on it.

Thanks!

It's good question i think too for example in windows firewall you can change this behavior. It'll be best practice i think to be possible to select which kind of behavior you want

It's good question i think too for example in windows firewall you can change this behavior. It'll be best practice i think to be possible to select which kind of behavior you want