Using Application Control feature to Block / Allow different IM applications for different use

This is a scenario based article of the SonicWall App Control Advanced feature. In this scenario we describe how to block the App Control Advanced Category - IM for all users except one user group and to allow Yahoo! Messenger, Skye, Trillian and Windows Live Messenger for selected users.

The following application needs to be blocked / allowed for the following users:

 Managers would be allowed all IM applications. All IM applications other than the above would be blocked for the rest.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

• Navigate to Device | Users | Local Users & Groups.
• Click Local Groups tab.
• Create the following user groups.
  • Managers
  • Accounts
  • Marketing
    
    
    
    

Configure Authentication

• In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Policy | Rules and Policies | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
  
  
  
  

Configure App Control Advanced - IM Category

• Navigate to Policy | Security Services | App Control.
• Toggle the option Enable App Control.
  
  
  
  
• Click on Signatures tab.
• Under viewed by drop down select category.
• Under category drop down select IM.
• Click  configure button to bring up the Edit App Control Category window.
• Select Enable under Block.
• Select Enable under Log.
• Select All under Included Users/Groups.
• Select the user group Managers under Excluded Users/Groups.
• Click OK.
  
  
  

Configure Application - Yahoo! Messenger/Apple iChat

• On the same page, with View Style: Category selected as IM, select Yahoo! Messenger/Apple ichat under Application.
• Click configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  
  

Configure Application - Skype

• Select Skype under application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Marketing.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  

Configure Application - Trillian

• Select Trillian under Application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  
  
  

Configure Application - Windows Live Messenger

• Select Windows Live Messenger under Application.
• Click configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select All.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
• Click OK.This configuration would disable blocking for all users.
  
  
  
  

Summary

By configuring the above we accomplish the following

• User Group Managers : All IM applications.
• User Group Accounts: Yahoo! Messenger/Apple iChat & Trillian.
• User Group Marketing: Skype.
• Windows Live Messenger can be accessed by all users.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Create User Groups

• Login to the SonicWall management interface. 
• Navigate to Manage at the top of the page.
• Navigate to the Users | Local users & Groups page.
• Select the Local Groups tab.
• Create the following user groups.
  • Managers
  • Accounts
  • Marketing
    

Configure Authentication

• In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Policies | Rules | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.

Configure App Control Advanced - IM Category

• Navigate to Policies | Rules | Advanced Application Control page.
• Check the box under Enable App Control and click on Accept at the top of the page.
• Under View Style: Category, select IM .
• Click  configure button to bring up the Edit App Control Category window.
• Select Enable under Block.
• Select Enable under Log.
• Select All under Included Users/Groups.
• Select the user group Managers under Excluded Users/Groups.
• Click OK .
  
• With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.
  
  
  

Configure Application - Yahoo! Messenger

• On the same page, with View Style: Category selected as IM, select Yahoo! Messenger under Application.
• Click configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  
  

Configure Application - Skype

• Select Skype under application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Marketing.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  

Configure Application - Trillian

• Select Trillian under Application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  

Configure Application - Windows Live Messenger

• Select Windows Live Messenger under Application.
• Click configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select All.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
• Click OK.This configuration would disable blocking for all users.
  

Summary

By configuring the above we accomplish the following

• User Group Managers : All IM applications.
• User Group Accounts: Yahoo! Messenger & Trillian.
• User Group Marketing: Skype.
• Windows Live Messenger can be accessed by all users.
  
  
  
  
  
  

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Create User Groups

• Login to the SonicWall management interface. 
• Navigate to the Users | Local Groups page.
• Create the following user groups
  • Managers
  • Accounts
  • Marketing
    
    
    

Configure Authentication

• In order for the SonicWall to enforce Application Control based on users/groups, we need to enable authentication on the SonicWall. Authentication can be either explicit, using Firewall | Access Rules, or implicit, using Single Sign-on. In this example we create the following LAN | WAN rule to force authentication.
  
  

Configure App Control Advanced - IM Category

• Navigate to Firewall | App Control Advanced page. (In Gen5 TZ devices this page would be under Security Services | App Control Advanced).
• Check the box under Enable App Control and click Accept at the top of the page.
• Under View Style: Category, select IM .
• Click  configure button to bring up the Edit App Control Category window.
• Select Enable under Block.
• Select Enable under Log.
• Select All under Included Users/Groups.
• Select the user group Managers under Excluded Users/Groups.
• Click OK.
  
• With this, all users or groups would be blocked from IM applications except the user group Managers. Now we configure individual applications to allow specific user groups.

Configure Application - Yahoo! Messenger

• On the same page, with View Style: Category selected as IM, select Yahoo! Messenger under Application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers)
• Click OK.. This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  

Configure Application - Skype

• Select Skype under application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Marketing.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
• Click OK .This configuration would disable blocking for the group Marketing, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  

Configure Application - Trillian

• Select Trillian under Application.
• Click on the configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select the group Accounts.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
• Click OK .This configuration would disable blocking for the group Accounts, which in turn would implicit enable blocking all other user group except Managers, who were excluded from all IM applications blocking in the parent category (IM).
  
  
  

Configure Application - Windows Live Messenger

• Select Windows Live Messenger under Application.
• Click  configure button to open the Edit Control App window.
• Select Disable under Block.
• Leave the Log field to inherit what was selected under the parent category IM (Enabled).
• Under Included Users/Groups, select All.
• Leave the Excluded Users/Groups as it is, which would be Use Category Settings (Managers).
• Click OK .This configuration would disable blocking for all users.
   

Summary

By configuring the above we accomplish the following

• User Group Managers : All IM applications.
• User Group Accounts: Yahoo! Messenger & Trillian.
• User Group Marketing: Skype.
• Windows Live Messenger can be accessed by all users.