Rule to allow an specific application only

 Hello All

In this case when you use Application Filter and allow one application it automaticaly allowes all couse Applications filtering rule have default action Allow (I test it on TeamViewer).

If unknown App is trying to access internet to teamviewer's FQDNs Firewall will allow this connection by default. Another if with some reason someone changes your DNS records for firewall or give it wrong addreses it will allow that connection... 

So if it's possible to create applications filtering rule so that it's default action was Deny all.

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

The application filter is better suited to denying applications rather allowing them (and denying everything else).

What would be better is if you know the domains that the application uses, create a firewall rule that allows access to those domains only, with only the ports it needs. Create a second later firewall rule that blocks all other destinations. Don't use the application filter. Run the application and monitor your firewall drop logs to see if there is additional things you may need to add to your allow rule.

Thanks for replay but what about default action and why it needed if i cannot use it?? and if it's possible to create rule with default action deny all. and if its hidden feature and how can i unlock it?

Some of that is historical.  It uses to be settable but we discovered there is no good use case for it.  For a long time you could still create rules with it by using Deny All as a template when you created a new filter and we removed that (I did not know that, I just found that out).  Basically it doesn't do what people think it does, so we removed the ability to configure it.  The only reason it wasn't removed from the UI entirely is because Deny All uses it.  But even Deny All doesn't do what people think it does.

Hi Michael,

That's amazing to know, but I have a (dumb) question from my part.

Is there any chance we will see a easier method to create Allow/Deny rules directly based on the application on the future releases (v19+)? So people could start with the default DROP All Rule and then allow only the needed applications, such thing that you can do right now with others NGFW vendors.

I know you can do something like this right now on XG to allow a application, but It's different, you would need to still select the desired port and the destination network, and then you need to create a template for the desired application and if needed, a Web Policy. And as you also said before, the current Deny All for the Application Classification on XG only block known applications for XG, which could leave holes for unknown traffic on it.

Thanks!

It's good question i think too for example in windows firewall you can change this behavior. It'll be best practice i think to be possible to select which kind of behavior you want

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

What would be better is:
Create firewall rules that allow everything. Monitor the traffic of the thing you want to work to determine all the destinations it needs. Create firewall rules to only apply to the traffic that you want, with a later firewall rule to block everything else. Don't use application control. Note: If you use web exceptions they may or may not also be applied depending on how you set things up.

Windows firewall does have a way of blocking all outbound connections except for those from specific applications (eg executable). I believe (not entirely sure) this is possible with XG and Endpoint with synchronized security applications. In this case XG will know the process name that created the network connection and can allow it based on that. Without synchronized security we can only guess based on the destination or snort signatures.

Michael Dunn said:

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

That's the reason why all NGFW vendors have a default Drop All Rule on any services and any zone/network, instead of doing it on applications filter.

What I've wanted from that comment is, a easier way to create Rules that Allow/Deny based on application, instead of having to create a template and defining on the template the default Allow/Deny Action and then the action for that application, instead of all of this, you would select the application directly on the Rule, by selecting the application instead of services, and the Action of Allow or Deny.

Of course, two things, It would first require the XG would always scan and detect all applications passing through XG by default. At the same time I'm skeptical about this, It makes me wonder what would happen with XG throughput, and even if it's possible right now.

And then, even if It's possible, it would make the migration of the old application templates a complete nightmare, since that would be a complete different, and also industry standard way of creating application based rules. (Look at Checkpoint/Forcepoint/Palo Alto)

One example on how it works with Checkpoint;

On Checkpoint you have a default Deny All traffic Rule on the bottom, and instead of having to work with ports/FQDN you can work directly based on the application.

You then create a Rule on top of the Deny All with the desired application and the action for it, such as Allow/Warn/Deny. Simple as that.

You talked about creating Rules based on the destination and FQDN, but think as a XG user right now instead as a Dev.

You made me wonder, why, while using a NGFW, you, as the user, would require to create rules by yourself based on the FQDN and Destinations and ports manually, and go through all the hassle of monitoring the traffic and modifying the rules based on where It's going and what It is; When you have a engine capable of doing that for you, that's already have all information about how to scan that traffic, including all certificates SNI's and all domains it communicates, and also the ports it utilize and all signatures it have, for you?

I'm sorry If I'm asking too much, but after two years using Checkpoint, comparing It with XG is... weird. XG have an amazing performance right now on v18, SSL/TLS Inspection actually works on all ports/applications instead of decrypting just on TCP/443, the AV functionalities is great, Sandstorm actually brings useful information to the consumer (Compared to sandblast.).

But still, It's just complete weird the way you create rules for applications in XG.

And before some people say it, the only vendor I can remember right now, that creates applications rules just like It is on XG is Fortinet. But they also use Snort. (I don't know if It's related.)

At the end, this is just my opinion, there's no need to take this too seriously, or in a bad way.

Thanks!

Michael Dunn said:

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

That's the reason why all NGFW vendors have a default Drop All Rule on any services and any zone/network, instead of doing it on applications filter.

What I've wanted from that comment is, a easier way to create Rules that Allow/Deny based on application, instead of having to create a template and defining on the template the default Allow/Deny Action and then the action for that application, instead of all of this, you would select the application directly on the Rule, by selecting the application instead of services, and the Action of Allow or Deny.

Of course, two things, It would first require the XG would always scan and detect all applications passing through XG by default. At the same time I'm skeptical about this, It makes me wonder what would happen with XG throughput, and even if it's possible right now.

And then, even if It's possible, it would make the migration of the old application templates a complete nightmare, since that would be a complete different, and also industry standard way of creating application based rules. (Look at Checkpoint/Forcepoint/Palo Alto)

One example on how it works with Checkpoint;

On Checkpoint you have a default Deny All traffic Rule on the bottom, and instead of having to work with ports/FQDN you can work directly based on the application.

You then create a Rule on top of the Deny All with the desired application and the action for it, such as Allow/Warn/Deny. Simple as that.

You talked about creating Rules based on the destination and FQDN, but think as a XG user right now instead as a Dev.

You made me wonder, why, while using a NGFW, you, as the user, would require to create rules by yourself based on the FQDN and Destinations and ports manually, and go through all the hassle of monitoring the traffic and modifying the rules based on where It's going and what It is; When you have a engine capable of doing that for you, that's already have all information about how to scan that traffic, including all certificates SNI's and all domains it communicates, and also the ports it utilize and all signatures it have, for you?

I'm sorry If I'm asking too much, but after two years using Checkpoint, comparing It with XG is... weird. XG have an amazing performance right now on v18, SSL/TLS Inspection actually works on all ports/applications instead of decrypting just on TCP/443, the AV functionalities is great, Sandstorm actually brings useful information to the consumer (Compared to sandblast.).

But still, It's just complete weird the way you create rules for applications in XG.

And before some people say it, the only vendor I can remember right now, that creates applications rules just like It is on XG is Fortinet. But they also use Snort. (I don't know if It's related.)

At the end, this is just my opinion, there's no need to take this too seriously, or in a bad way.

Thanks!