• SonicOS 7.1 Rules and Policies
• Overview
  • About SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• Access Rules
  • Setting Firewall Access Rules
    • About Connection Limiting
    • Using Bandwidth Management with Access Rules
      • Enabling Bandwidth Management on an Access Rule
    • Creating Access Rules
    • Configuring Access Rules for IPv6
      • About Stateful Packet Inspection Default Access Rules
    • Enabling and Disabling Access Rules
    • Editing Access Rules
    • Deleting Access Rules
    • Restoring Access Rules to Default Settings
    • Displaying Access Rules
      • By Zones
      • By Column
    • Displaying Access Rule Traffic Statistics
    • Configuring Access Rules for NAT64
    • Configuring Access Rules for a Zone
    • Access Rules for DNS Proxy
    • User Priority for Access Rules
  • Access Rule Configuration Examples
    • Enabling Ping
    • Blocking LAN Access for Specific Services
    • Allowing WAN Primary IP Access from the LAN Zone
• NAT Rules
  • About NAT in SonicOS
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
    • Displaying Information about Policies
  • Adding or Editing NAT or NAT64 Rule Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a One-to-Many NAT Load Balancing Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
    • Creating a WAN-to-WAN Access Rule for a NAT64 Policy
    • DNS Doctoring
• Routing
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies >
    • Configuring
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• DNS Rules
  • Creating DNS Filtering Profiles
  • Configuring DNS Filtering
    • Creating DNS Policy Rules
      • Editing DNS Policies
      • Deleting DNS Policies
    • Configuring Global DNS Filtering Settings
    • Configuring DNS Filtering Custom Domains
  • Viewing DNS Information
    • Viewing DNS Using the Dashboard
    • Viewing DNS Filtering Reports
• Content Filter Rules
  • About Content Filtering Rules (CFS)
    • About Content Filter Rules
    • About UUIDs for CFS Policies
    • About Content Filter Action Objects
    • How CFS Works
  • Configuring CFS Policies
    • About the Content Filter Rule Table
      • Searching the Content Filter Rule Table
    • Adding a Content Filter Rule
    • Editing a Content Filter Rule
    • Deleting Content Filter Rules
• App Rules
  • About App Rules
    • What are App Rules?
      • About App Rules Policies
      • About App Rules Capabilities
    • Benefits of App Rules
    • How Does Application Control Work?
    • About App Rules Policy Creation
    • Licensing App Rules and App Control
    • Terminology
  • Rules and Policies > App Rules
    • Configuring an App Rules Policy
  • Verifying App Rules Configuration
    • Useful Tools
      • Wireshark
      • Hex Editor
  • App Rules Use Cases
    • Creating a Regular Expression in a Match Object
    • Policy-based Application Rules
    • Logging Application Signature-based Policies
    • Compliance Enforcement
    • Server Protection
    • Hosted Email Environments
    • Email Control
    • Web Browser Control
    • HTTP Post Control
    • Forbidden File Type Control
    • ActiveX Control
    • FTP Control
      • Blocking Outbound Proprietary Files Over FTP
      • Blocking Outbound UTF-8 / UTF-16 Encoded Files
      • Blocking FTP Commands
    • Bandwidth Management
    • Bypass DPI
    • Custom Signature
    • Reverse Shell Exploit Prevention
      • Generating the Network Activity
      • Capturing and Exporting the Payload to a Text File Using Wireshark
      • Creating a Match Object
      • Defining the Policy
• Endpoint Rules
• SonicWall Support
  • About This Document

Licensing App Rules and App Control

The Application Visualization and Control license has two components:

• The Visualization component provides identification and reporting of application traffic in the Appliance Health pages.
• The Control component allows you to create and enforce App Rules and App Control policies for logging, blocking, and bandwidth management of application traffic handled by your network.

Application Visualization and Control can also be licensed together in a bundle with other security services including SonicWall Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).

Upon registration on MySonicWall, or when you load SonicOS onto a registered SonicWall device, supported SonicWall appliances begin an automatic 30-day trial license for Application Visualization and Control, and application signatures are downloaded to the appliance.

A free 30-day trial is also available for the other security services in the bundle, but it is not automatically enabled as it is for Application Visualization and Control. You can start the additional free trials on the individual Security Services pages in SonicOS, or on MySonicWall.

After Real-Time data collection is manually enabled on the DEVICE | AppFlow > Flow Reporting page (see the Managing Flow Reporting Statistics section in the SonicOS Logs and Reporting technical documentation), you can view real-time application traffic on the Live Monitor page and see application activity in other MONITOR pages for the identified/classified flows from the firewall application signature database.

To begin using application control, you must enable it in the Status/Settings view of the POLICY | Security Services > App Control page in the Global Settings section:

To begin using policies created with App Rules and App Control, select Enable App Control on the POLICY | Security Services > App Control page.

When Enable App Control is enabled from the POLICY | Security Services > App Control page, the dpi=1 Syslog tag is seen in Connection Closed Syslog messages for all traffic that passed through Deep Packet Inspection. Traffic that did not pass through DPI shows dpi=0 in the Connection Closed Syslog messages. For more information about the Index of Syslog Tags Field Descriptions or Syslog examples showing the SPI tag, see the SonicOS Log Events Administration Guide.

The SonicWall Licensing server provides the App Visualization and Control license key to the firewall when you begin a 30-day trial (upon registration) or purchase a Security Services license bundle.

Licensing is available on www.mysonicwall.com on the Service Management page under GATEWAY SERVICES.

The Security Services license bundle includes licenses for the following subscription services:

• App Visualization
• App Control
• Gateway Anti-Virus
• Gateway Anti-Spyware
• Intrusion Prevention Service

Application signature updates and signature updates for other Security Services are periodically downloaded to the firewall as long as these services are licensed.

If you disable App Control in the SonicOS management interface, application signature updates are discontinued until the feature is enabled again.

When High Availability is configured between two firewalls, the firewalls can share the Security Services license. To use this feature, you must register the firewalls on MySonicWall as Associated Products. Both appliances must be the same SonicWall network security appliance model.

For a High Availability pair, even if you first register your appliances on MySonicWall, you must individually register both the Primary and the Secondary appliances from the SonicOS management interface while logged into the individual management IP address of each appliance. This allows the Secondary unit to synchronize with the firewall license server and share licenses with the associated Primary appliance. When Internet access is restricted, you can manually apply the shared licenses to both appliances.