Controlling Application Traffic
License: Control
When the ASA FirePOWER module analyzes IP traffic, it can identify and classify the commonly used applications on your network.
Understanding Application Control
Application conditions in access control rules allow you to perform this application control . Within a single access control rule, there are a few ways you can specify applications whose traffic you want to control:
-
You can select individual applications, including custom applications.
-
You can use system-provided application filters , which are named sets of applications organized according to the applications’ basic characteristics: type, risk, business relevance, categories, and tags.
-
You can create and use custom application filters, which group applications (including custom applications) in any way you choose.
Application filters allow you to quickly create application conditions for access control rules. They simplify policy creation and administration, and grant you assurance that the system will control web traffic as expected. For example, you could create an access control rule that identifies and blocks all high risk, low business relevance applications. If a user attempts to use one of those applications, the session is blocked.
In addition, Cisco frequently updates and adds additional detectors via system and vulnerability database (VDB) updates. By using filters based on application characteristics, you can ensure that the system uses the most up-to-date detectors to monitor application traffic.
Building Application Conditions
For traffic to match an access control rule with an application condition, the traffic must match one of the filters or applications that you add to a Selected Applications and Filters list.
In a single application condition, you can add a maximum of 50 items to the Selected Applications and Filters list. Each of the following counts as an item:
-
One or more filters from the Application Filters list, individually or in custom combination. This item represents set of applications, grouped by characteristic.
-
A filter created by saving an application search in the Available Applications list. This item represents a set of applications, grouped by substring match.
-
An individual application from the Available Applications list.
In the module interface, filters added to a condition are listed above and separately from individually added applications.
Note that when you deploy an access control policy, for each rule with an application condition, the system generates a list of unique applications to match. In other words, you may use overlapping filters and individually specified applications to ensure complete coverage.
Note |
For encrypted traffic, the system can identify and filter traffic using only the applications tagged SSL Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic. |
Matching Traffic with Application Filters
License: Control
When building an application condition in an access control rule, use the Application Filters list to create a set of applications, grouped by characteristic, whose traffic you want to match.
Note that the mechanism for filtering applications within an access control rule is the same as that for creating reusable, custom application filters using the object manager; see Working with Application Filters. You can also save many filters you create on-the-fly in access control rules as new, reusable filters. You cannot save a filter that includes another user-created filter because you cannot nest user-created filters.
Understanding How Filters Are Combined
When you select filters, singly or in combination, the Available Applications list updates to display only the applications that meet your criteria. You can select system-provided filters in combination, but not custom filters.
The system links multiple filters of the same filter type with an OR operation. For example, if you select the Medium and High filters under the Risks type, the resulting filter is:
Risk: Medium OR High
If the Medium filter contains 110 applications and the High filter contains 82 applications, the system displays all 192 applications in the Available Applications list.
The system links different types of filters with an AND operation. For example, if you select the Medium and High filters under the Risks type, and the Medium and High filters under the Business Relevance type, the resulting filter is:
Risk: Medium OR HighANDBusiness Relevance: Medium OR High
In this case, the system displays only those applications that are included in both the Medium or High Risk type AND the Medium or High Business Relevance type.
Finding and Selecting Filters
To select filters, click the arrow next to a filter type to expand it, then select or clear the check box next to each filter whose applications you want to display or hide. You can also right-click a system-provided filter type (Risks, Business Relevance, Types, Categories, or Tags) and select Check All or Uncheck All.
To search for filters, click the Search by name prompt above the Available Filters list, then type a name. The list updates as you type to display matching filters.
After you are done selecting filters, use the Available Applications list to add those filters to the rule; see Matching Traffic from Individual Applications.
Matching Traffic from Individual Applications
License: Control
When building an application condition in an access control rule, use the Available Applications list to select the applications whose traffic you want to match.
Browsing the List of Applications
When you first start to build the condition the list is unconstrained, and displays every application the system detects, 100 at a time:
-
To page through the applications, click the arrows underneath the list.
-
To display a pop-up window with summary information about the application’s characteristics, as well as Internet search links that you can follow, click the information icon next to an application.
Finding Applications to Match
To help you find the applications you want to match, you can constrain the Available Applications list in the following ways:
-
To search for applications, click the Search by name prompt above the list, then type a name. The list updates as you type to display matching applications.
-
To constrain the applications by applying a filter, use the Application Filters list (see Matching Traffic with Application Filters). The Available Applications list updates as you apply filters.
Once constrained, an All apps matching the filter option appears at the top of the Available Applications list. This option allows you to add all the applications in the constrained list to the Selected Applications and Filters list, all at once.
Note |
If you select one or more filters in the Application Filters list and also search the Available Applications list, your selections and the search-filtered Available Applications list are combined using an AND operation. That is, the All apps matching the filter condition includes all the individual conditions currently displayed in the Available Applications list as well as the search string entered above the Available Applications list. |
Selecting Single Applications to Match in a Condition
After you find an application you want to match, click to select it. To select multiple applications, use the Shift and Ctrl keys, or right-click and select Select All to select all applications in the current constrained view.
In a single application condition, you can match a maximum of 50 applications by selecting them individually; to add more than 50 you must either create multiple access control rules or use filters to group applications.
Selecting All Applications Matching a Filter for a Condition
Once constrained by either searching or using the filters in the Application Filters list, the All apps matching the filter option appears at the top of the Available Applications list.
This option allows you to add the entire set of applications in the constrained Available Applications list to the Selected Applications and Filters list, at once. In contrast to adding applications individually, adding this set of applications counts as only one item against the maximum of 50, regardless of the number of individual applications that comprise it.
When you build an application condition this way, the name of the filter you add to the Selected Applications and Filters list is a concatenation of the filter types represented in the filter plus the names of up to three filters for each type. More than three filters of the same type are followed by an ellipsis (...). For example, the following filter name includes two filters under the Risks type and four under Business Relevance:
Risks: Medium, High Business Relevance: Low, Medium, High,...
Filter types that are not represented in a filter you add with All apps matching the filter are not included in the name of the filter you add. These filter types are set to any ; that is, these filter types do not constrain the filter, so any value is allowed for these.
You can add multiple instances of All apps matching the filter to an application condition, with each instance counting as a separate item in the Selected Applications and Filters list. For example, you could add all high risk applications as one item, clear your selections, then add all low business relevance applications as another item. This application condition matches applications that are high risk OR have low business relevance.
Adding an Application Condition to an Access Control Rule
License: Control
For traffic to match an access control rule with an application condition, the traffic must match one of the filters or applications that you add to a Selected Applications and Filters list.
You can add a maximum of 50 items per condition, and filters added to a condition are listed above and separately from individually added applications. When building an application condition, warning icons indicate invalid configurations. For details, see Troubleshooting Access Control Policies and Rules.
To control application traffic:
Procedure
Step 1 |
In the access control policy where you want to control traffic by application, create a new access control rule or edit an existing rule. For detailed instructions, see Creating and Editing Access Control Rules. |
||
Step 2 |
In the rule editor, click the Applications tab. |
||
Step 3 |
Optionally, enable content restriction features by clicking the dimmed icons for Safe Search or YouTube EDU and setting related options; for additional configuration requirements, see Using Access Control Rule to Enforce Content Restriction. In most cases, enabling content restriction populates the condition's Selected Applications and Filters list with the appropriate values. The system does not automatically populate the list if applications or filters related to content restriction are already present in the list when you enable content restriction. Continue with the procedure to refine your application and filter selections, or skip to saving the rule. |
||
Step 4 |
Optionally, use filters to constrain the list of applications displayed in the Available Applications list. Select one or more filters in the Application Filters list. For more information, see Matching Traffic with Application Filters. |
||
Step 5 |
Find and select the applications you want to add from the Available Applications list. You can search for and select individual applications, or, when the list is constrained, All apps matching the filter. For more information, see Matching Traffic from Individual Applications. |
||
Step 6 |
Click Add to Rule to add the selected applications to the Selected Applications and Filters list. You can also drag and drop selected applications and filters. Filters appear under the heading Filters , and applications appear under the heading Applications .
|
||
Step 7 |
Optionally, click the add icon above the Selected Applications and Filters list to save a custom filter comprised of all the individual applications and filters currently in the list. Use the object manager to manage this on-the-fly-created filter; see . Note that you cannot save a filter that includes another user-created filter; you cannot nest user-created filters. |
||
Step 8 |
Save or continue editing the rule. You must deploy the access control policy for your changes to take effect; see Deploying Configuration Changes. |
Limitations to Application Control
License: Control
Keep the following points in mind when performing application control.
Speed of Application Identification
The system cannot perform application control before:
-
a monitored connection is established between a client and server, and
-
the system identifies the application in the session
This identification should occur within 3 to 5 packets, or after the server certificate exchange in the SSL handshake if the traffic is encrypted. If one of these first packets matches all other conditions in an access control rule containing an application condition but the identification is not complete, the access control policy allows the packet to pass. This behavior allows the connection to be established so that applications can be identified. For your convenience, affected rules are marked with an information icon .
The allowed packets are inspected by the access control policy’s default intrusion policy (not the default action intrusion policy nor the almost-matched rule’s intrusion policy).
After the system completes its identification, the system applies the access control rule action, as well as any associated intrusion and file policy, to the remaining session traffic that matches its application condition.
Handling Encrypted Traffic
The system can identify and filter unencrypted application traffic that becomes encrypted using StartTLS, such as SMTPS, POPS, FTPS, TelnetS, and IMAPS. In addition, it can identify certain encrypted applications based on the Server Name Indication in the TLS client hello message, or the server certificate subject distinguished name value.
These applications are tagged SSL Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic.
Handling Application Traffic Packets Without Payloads
The system applies the default policy action to packets that do not have a payload in a connection where an application is identified.
Handling Referred Traffic
To create a rule to act on traffic referred by a web server, such as advertisement traffic, add a condition for the referred application rather than the referring application.
Controlling Application Traffic That Uses Multiple Protocols (Skype)
The system can detect multiple types of Skype application traffic. When building an application condition to control Skype traffic, select the Skype tag from the Application Filters list rather than selecting individual applications. This ensures that the system can detect and control all Skype traffic the same way. For more information, see Matching Traffic with Application Filters.