Rule to allow an specific application only

Hi Michael,

That's amazing to know, but I have a (dumb) question from my part.

Is there any chance we will see a easier method to create Allow/Deny rules directly based on the application on the future releases (v19+)? So people could start with the default DROP All Rule and then allow only the needed applications, such thing that you can do right now with others NGFW vendors.

I know you can do something like this right now on XG to allow a application, but It's different, you would need to still select the desired port and the destination network, and then you need to create a template for the desired application and if needed, a Web Policy. And as you also said before, the current Deny All for the Application Classification on XG only block known applications for XG, which could leave holes for unknown traffic on it.

Thanks!

It's good question i think too for example in windows firewall you can change this behavior. It'll be best practice i think to be possible to select which kind of behavior you want

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

What would be better is:
Create firewall rules that allow everything. Monitor the traffic of the thing you want to work to determine all the destinations it needs. Create firewall rules to only apply to the traffic that you want, with a later firewall rule to block everything else. Don't use application control. Note: If you use web exceptions they may or may not also be applied depending on how you set things up.

Windows firewall does have a way of blocking all outbound connections except for those from specific applications (eg executable). I believe (not entirely sure) this is possible with XG and Endpoint with synchronized security applications. In this case XG will know the process name that created the network connection and can allow it based on that. Without synchronized security we can only guess based on the destination or snort signatures.

Michael Dunn said:

Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

That's the reason why all NGFW vendors have a default Drop All Rule on any services and any zone/network, instead of doing it on applications filter.

What I've wanted from that comment is, a easier way to create Rules that Allow/Deny based on application, instead of having to create a template and defining on the template the default Allow/Deny Action and then the action for that application, instead of all of this, you would select the application directly on the Rule, by selecting the application instead of services, and the Action of Allow or Deny.

Of course, two things, It would first require the XG would always scan and detect all applications passing through XG by default. At the same time I'm skeptical about this, It makes me wonder what would happen with XG throughput, and even if it's possible right now.

And then, even if It's possible, it would make the migration of the old application templates a complete nightmare, since that would be a complete different, and also industry standard way of creating application based rules. (Look at Checkpoint/Forcepoint/Palo Alto)

One example on how it works with Checkpoint;

On Checkpoint you have a default Deny All traffic Rule on the bottom, and instead of having to work with ports/FQDN you can work directly based on the application.

You then create a Rule on top of the Deny All with the desired application and the action for it, such as Allow/Warn/Deny. Simple as that.

You talked about creating Rules based on the destination and FQDN, but think as a XG user right now instead as a Dev.

You made me wonder, why, while using a NGFW, you, as the user, would require to create rules by yourself based on the FQDN and Destinations and ports manually, and go through all the hassle of monitoring the traffic and modifying the rules based on where It's going and what It is; When you have a engine capable of doing that for you, that's already have all information about how to scan that traffic, including all certificates SNI's and all domains it communicates, and also the ports it utilize and all signatures it have, for you?

I'm sorry If I'm asking too much, but after two years using Checkpoint, comparing It with XG is... weird. XG have an amazing performance right now on v18, SSL/TLS Inspection actually works on all ports/applications instead of decrypting just on TCP/443, the AV functionalities is great, Sandstorm actually brings useful information to the consumer (Compared to sandblast.).

But still, It's just complete weird the way you create rules for applications in XG.

And before some people say it, the only vendor I can remember right now, that creates applications rules just like It is on XG is Fortinet. But they also use Snort. (I don't know if It's related.)

At the end, this is just my opinion, there's no need to take this too seriously, or in a bad way.

Thanks!