• SonicOS 7
• Zones
  • How Zones Work
  • Predefined Zones
  • Security Types
  • Allow Interface Trust
  • Enabling SonicWall Security Services on Zones
  • Effect of Wireless and Non-Wireless Controller Modes
    • Effects of Enabling Non-Wireless Controller Mode
    • Effects of Enabling Wireless Controller Mode
  • Match Objects > Zones
    • The Zone Settings Table
    • Adding a New Zone
    • Configuring a Zone for Guest Access
    • Configuring a Zone for Open Authentication and Social Login
    • Configuring a Zone for Captive Portal Authentication with RADIUS
    • Configuring a Zone for Customized Policy Message
    • Configuring a Zone for Customized Login Page
    • Configuring the WLAN Zone
    • Configuring the RADIUS Server
    • Configuring DPI-SSL Granular Control per Zone
    • Enabling Automatic Redirection to the User-Policy Page
    • Deleting a Zone
• Addresses
  • Types of Address Objects
  • About Address Groups
  • About UUIDs for Address Objects and Groups
  • Addresses Page
    • Common Features
      • Common Functions
      • Common Column Headings
    • Sorting the Entries
  • Default Address Objects and Groups
  • Default Pref64 Address Object
  • Default Rogue Address Groups
  • Adding an Address Object
  • Editing Address Objects
  • Deleting Custom Address Objects
  • Purging MAC or FQDN Address Objects
  • Creating Address Groups
  • Editing Address Groups
  • Deleting Address Groups
  • Working with Dynamic Address Objects
    • Key Features of Dynamic Address Objects
    • Enforcing the Use of Sanctioned Servers on the Network
    • Using MAC and FQDN Dynamic Address Objects
      • Blocking All Protocol Access to a Domain using FQDN DAOs
      • Using an Internal DNS Server for FQDN-based Access Rules
      • Controlling a Dynamic Host’s Network Access by MAC Address
      • Bandwidth Managing Access to an Entire Domain
• Services
  • About Default Service Objects and Groups
  • Predefined IP Protocols for Custom Service Objects
  • Adding Service Objects using Predefined Protocols
  • Adding Custom IP Type Services
    • Configuration Example
  • Editing Custom Service Objects
  • Deleting Custom Service Objects
  • Adding Custom Service Groups
  • Editing Custom Service Groups
  • Deleting Custom Service Groups
• URI Lists
  • About URIs and the URI List
  • About URI List Groups
  • About Keywords and the Keyword List
  • Matching URI List Objects
  • Using URI List Objects
  • Managing URI List Objects
    • About the URI List Objects Table
    • Configuring URI List Objects
    • Exporting a URI List Object
    • Editing a URI List Object
    • Deleting URI List Objects
  • Managing URI List Groups
    • About the URI List Groups Table
    • Adding URI List Groups
    • Editing a URI List Group
    • Deleting URI List Groups
• Match Objects
  • About Match Objects
    • About Regular Expressions
      • Regular Expression Syntax
    • About Negative Matching
  • About Application List Objects
    • About Application Filters
    • About Category Filters
  • Configuring a Match Object
  • Configuring Application List Objects
• Schedules
  • Adding a Custom Schedule
  • Modifying Schedules
  • Deleting Custom Schedules
• Dynamic Group
  • About the Dynamic External Address Group File
  • DEAG and DEAO Maximums
  • High Availability Requirements
  • Adding a Dynamic External Object
  • Editing Dynamic External Objects
  • Deleting Dynamic External Objects
• Email Addresses
  • Configuring Email Address Objects
• SonicWall Support
  • About This Document

About Match Objects

Match objects represent the set of conditions which must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, regex, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.

Hexadecimal input representation is used to match binary content such as executable files, while alphanumeric (text) input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties fields. Regular expressions (regex) are used to match a pattern rather than a specific string or value, and use alphanumeric input representation.

The File Content match object type provides a way to match a pattern or keyword within a file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.

Application List and Application Category List match object types can be used with App Based Route policies, which are supported are configured on the Policy > App Rules page.

These objects are created by clicking the Addor Add Applications option on the Objects > Match Objects page. For information about App Based Route policies, see the SonicOS System Setup administration documentation.

The below table describes the supported match object types.

Supported match object types

Object Type	Description	Match Types	Negative Matching	Extra Properties
ActiveX ClassID	Class ID of an Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a271-8fd5f117ba5f”	Exact	No	None
Application Category List	Allows specification of application categories, such as Multimedia., P2P, or Social Networking	N/A	No	None
Application List	Allows specification of individual applications within the application category that you select	N/A	No	None
Application Signature List	Allows specification of individual signatures for the application and category that you select	N/A	No	None
Custom Object	Allows specification of an IPS-style custom set of conditions.	Exact	No	There are 4 additional, optional parameters that can be set: offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), minimum payload size and maximum payload size.
Email Body	Any content in the body of an email.	Partial	No	None
Email CC (MIME Header)	Any content in the CC MIME Header.	Exact, Partial, Prefix, Suffix	Yes	None
Email From (MIME Header)	Any content in the From MIME Header.	Exact, Partial, Prefix, Suffix	Yes	None
Email Size	Allows specification of the maximum email size that can be sent.	N/A	No	None
Email Subject (MIME Header)	Any content in the Subject MIME Header.	Exact, Partial, Prefix, Suffix	Yes	None
Email To (MIME Header)	Any content in the To MIME Header.	Exact, Partial, Prefix, Suffix	Yes	None
MIME Custom Header	Allows for creation of MIME custom headers.	Exact, Partial, Prefix, Suffix	Yes	A Custom header name needs to be specified.
File Content	Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed.	Partial	No	‘Disable attachment’ action should never be applied to this object.
Filename	In cases of email, this is an attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.	Exact, Partial, Prefix, Suffix	Yes	None
Filename Extension	In cases of email, this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file.	Exact	Yes	None
FTP Command	Allows selection of specific FTP commands.	N/A	No	None
FTP Command + Value	Allows selection of specific FTP commands and their values.	Exact, Partial, Prefix, Suffix	Yes	None
HTTP Cookie Header	Allows specification of a Cookie sent by a browser.	Exact, Partial, Prefix, Suffix	Yes	None
HTTP Host Header	Content found inside of the HTTP Host header. Represents hostname of the destination server in the HTTP request, such as www.google.com.	Exact, Partial, Prefix, Suffix	Yes	None
HTTP Referrer Header	Allows specification of content of a Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.	Exact, Partial, Prefix, Suffix	Yes	None
HTTP Request Custom Header	Allows handling of custom HTTP Request headers.	Exact, Partial, Prefix, Suffix	Yes	A Custom header name needs to be specified.
HTTP Response Custom Header	Allows handling of custom HTTP Response headers.	Exact, Partial, Prefix, Suffix	Yes	A Custom header name needs to be specified.
HTTP Set Cookie Header	Set-Cookie headers. Provides a way to disallow certain cookies to be set in a browser.	Exact, Partial, Prefix, Suffix	Yes	None
HTTP URI Content	Any content found inside of the URI in the HTTP request.	Exact, Partial, Prefix, Suffix	No	None
HTTP User-Agent Header	Any content inside of a User-Agent header. For example: User-Agent: Skype.	Exact, Partial, Prefix, Suffix	Yes	None
Web Browser	Allows selection of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome).	N/A	Yes	None
IPS Signature Category List	Allows selection of one or more IPS signature groups. Each group contains multiple pre-defined IPS signatures.	N/A	No	None
IPS Signature List	Allows selection of one or more specific IPS signatures for enhanced granularity.	N/A	No	None

You can see the available types of match objects in a drop-down menu in the Match Object Settings dialog.

• In the Match Object Settings dialog, you can add multiple entries to create a list of content elements to match. All content that you provide in a match object is case-insensitive for matching purposes. A hexadecimal representation is used to match binary content. You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for binary files. For more information about these tools, see the Wireshark and Hex Editor sections in Policy > App Rules.

You can use the (Load From File) icon to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move App Rules settings from one firewall to another.

Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.

A match object can include a total of no more than 8000 characters. If each element within a match object contains approximately 30 characters, then you can enter about 260 elements. The maximum element size is 8000 bytes.

• About Regular Expressions
• About Negative Matching