SonicOS 7.1 Rules and Policies for Classic Mode
- SonicOS 7.1 Rules and Policies
- Overview
- Access Rules
- Setting Firewall Access Rules
- About Connection Limiting
- Using Bandwidth Management with Access Rules
- Creating Access Rules
- Configuring Access Rules for IPv6
- Enabling and Disabling Access Rules
- Editing Access Rules
- Deleting Access Rules
- Restoring Access Rules to Default Settings
- Displaying Access Rules
- Displaying Access Rule Traffic Statistics
- Configuring Access Rules for NAT64
- Configuring Access Rules for a Zone
- Access Rules for DNS Proxy
- User Priority for Access Rules
- Access Rule Configuration Examples
- Setting Firewall Access Rules
- NAT Rules
- About NAT in SonicOS
- About NAT Load Balancing
- About NAT64
- About FQDN-based NAT
- About Source MAC Address Override
- Viewing NAT Policy Entries
- Adding or Editing NAT or NAT64 Rule Policies
- Deleting NAT Policies
- Creating NAT Rule Policies: Examples
- Creating a One-to-One NAT Policy for Inbound Traffic
- Creating a One-to-One NAT Policy for Outbound Traffic
- Inbound Port Address Translation via One-to-One NAT Policy
- Inbound Port Address Translation via WAN IP Address
- Creating a Many-to-One NAT Policy
- Creating a Many-to-Many NAT Policy
- Creating a One-to-Many NAT Load Balancing Policy
- Creating a NAT Load Balancing Policy for Two Web Servers
- Creating a WAN-to-WAN Access Rule for a NAT64 Policy
- DNS Doctoring
- Routing
- DNS Rules
- Content Filter Rules
- App Rules
- About App Rules
- Rules and Policies > App Rules
- Verifying App Rules Configuration
- App Rules Use Cases
- Creating a Regular Expression in a Match Object
- Policy-based Application Rules
- Logging Application Signature-based Policies
- Compliance Enforcement
- Server Protection
- Hosted Email Environments
- Email Control
- Web Browser Control
- HTTP Post Control
- Forbidden File Type Control
- ActiveX Control
- FTP Control
- Bandwidth Management
- Bypass DPI
- Custom Signature
- Reverse Shell Exploit Prevention
- Endpoint Rules
- SonicWall Support
Configuring an App Rules Policy
When you have created the necessary match object and action object, you are ready to create a policy that uses them.
For information about using the App Control Wizard to create a policy, see Using the App Rule Wizard.
For information about policies and policy types, see About App Rules Policy Creation.
Policies configured through the POLICY | Rules and Policies > App Control page take precedence over those configured through the POLICY | Rules and Policies > App Rules page.
To configure an App Rules policy
-
Navigate to the POLICY | Rules and Policies > App Rules page.
-
At the top of the page, click +Add. The Add App Rule dialog displays.
-
Enter a descriptive name into the Policy Name field.
-
Select a Policy Type from the drop-down menu. Your selection here affects options available in the dialog. For information about available policy types, see About App Rules Policy Creation.
-
Select an Address Source and Address Destination from the drop-down menus. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types.
-
Select a Service Source and Service Destination from the drop-down menus. Some policy types do not provide a choice of service.
-
For Exclusion Address and Exclusion Service, optionally select an address group and service from the drop-down menus. This address is not affected by the policy.
-
For Match Object Included and Match Objects Excluded, select a appropriate match objects from the drop-down menus containing the defined match objects applicable to the policy type.
The excluded match object provides the ability to differentiate subdomains in the policy. For example, if you wanted to allow
news.yahoo.com
, but block all other yahoo.com sites, you would create match objects for bothyahoo.com
andnews.yahoo.com
. You would then create a policy blocking Match Objectyahoo.com
and set Match Objects Excluded tonews.yahoo.com
.The Match Objects Excluded does not take effect when the match object type is set to Custom Object. Custom Objects cannot be selected as the Match Objects Excluded.
-
For Action Object, select an action from the drop-down menu containing actions applicable to the policy type. The available objects include predefined actions plus any customized actions which are applicable. The default for all policy types is Reset/Drop.
For a log-only policy, select No Action.
-
For Users/Groups, select from the drop-down menus for both Included and Excluded. The selected users or group under Excluded are not affected by the policy.
-
If the policy type is SMTP Client, select from the drop-down menus for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or group under Excluded are not affected by the policy.
-
For Schedule, select from the drop-down menu, which contains a variety of schedules for the policy to be in effect.
Specifying a schedule other than the default, Always On, turns on the rule only during the scheduled time. For example, specifying Work Hours for a policy to block access to non-business sites allows access to non-business sites during non-business hours.
-
If you want the policy to create a log entry when a match is found, select Enable Logging.
-
To record more details in the log, select Log individual object content.
-
If the policy type is IPS Content, select Log using IPS message format to display the category in the log entry as Intrusion Prevention rather than Application Control, and to use a prefix such as IPS Detection Alert in the log message rather than Application Control Alert. This is useful if you want to use log filters to search for IPS alerts.
-
If the policy type is App Control Content, select Log using App Control message format to display the category in the log entry as Application Control, and to use a prefix such as Application Control Detection Alert in the log message. This is useful if you want to use log filters to search for application control alerts.
-
For Log Redundancy Filter, you can either select Global Settings to use the global value set on the POLICY | Rules and Policies > App Control page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
-
For Connection Side, select from the drop-down menu. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content or App Control Content policy types do not provide this configuration option.
-
For Direction, click either Basic or Advanced and select a direction from the drop-down menu. Basic allows you to select incoming, outgoing, or both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content or App Control Content policy types do not provide this configuration option.
-
If the policy type is IPS Content or App Control Content, select a zone from the Zone drop-down menu. The policy will be applied to this zone.
-
Click OK.
Was This Article Helpful?
Help us to improve our support portal