App Control Exclusion is not Working

Description

Even after allowing a "User Group" or an "Address Object/Group" in a blocked application in App Control, allowed users/devices could still be blocked from accessing applications. This can be due to using internal DNS servers and these DNS servers may not have been part of the allowed group. This article explains various methods on how to allow DNS servers from getting blocked by App Control.

Cause

Many applications have "DNS Query" as one of the signature as seen in below picture. When internal DNS servers are used, DNS queries from all user devices goes through these internal DNS servers. If DNS servers are not allowed in a blocked application, DNS queries related to these applications will be blocked. This would thereby not allow the allowed users to access the required applications.

Image

Resolution

The following methods can be used to allow the internal DNS servers from getting blocked by App Control-

1) If an Address Group is being used to allow a group of IP addresses from a blocked application then it would be recommended to add the DNS server IP address also to this Address Group.

2) If a User Group is being used to allow a group of users from an application, use one of the following methods,

  • If the DNS server also has a user account then this user account can be added to the allowed User Group
  • If the DNS server user account cannot be added to the User Group then the DNS server IP address can be allowed in two ways,
    • Add the DNS server IP to the Global App Control Exclusion List or
    • Instead of using App Control, use App Rules to exclude both User Group and IP Address Object/Group.

NOTE: If both "User Group" and "Address Group" are selected to be allowed from an Application (using "Included User/Groups" AND "Included IP Address Range" ), then the only traffic that matches BOTH "Address Group" AND "User Group" will be allowed. If the traffic matches either "Address Group" OR "User Group" then the traffic will not be allowed.

More information on why "Included User/Groups" and "Included IP Address Range" are used can be found in the following KB article about Exclusion Logic-

[[App Control Advance: Exclusion Logic|200422030712977]]


Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Application Firewall
Firewalls
NSsp Series
Application Firewall4
Firewalls
NSv Series
Application Firewall
Firewalls
SonicWall NSA Series
Application Firewall
Firewalls
TZ Series
Application Firewall
not finding your answers?
Ask the Community