{{ secondMenu.name }}
For refined control of internal users' internet access (HTTP) behavior, FTP behavior, IM behavior, tool behavior, etc. In general, an enterprise needs to manage the internet access behaviors of LAN users. Different users need different permissions to access network resources. The permissions of the same user in different periods are often different. The application control function of NGAF can meet the above requirements.
By integrating Endpoint Secure, you can track and control applications from the endpoint application list to prevent employees from using those apps during office hours, improving productivity and reducing network security risks.
To set this module, you need to use the zone on the Network page and objects such as service, a network object, schedule, and app signature database on the Object Settings page.
Navigate to Policies > Access Control > Application Control Policy to go to the page to set an application control policy or endpoint app control policy. You can add, delete, enable, disable, or search for an application control policy on this page. By default, the device provides a control policy that denies all services or applications.
For the Endpoint App Control configuration guide please refer to section 4.4.5 Endpoint App Control.
To add, modify and adjust the application control policy. Move the pointer over the name of a policy group. Then, the ellipsis (…) sign shows next to the policy group. Click this sign to edit the policy group.
| Operation |
Note |
| Delete |
Deletes the current policy group. |
| Edit |
Re-edits the name of the policy group. |
| Insert above |
Inserts a new policy group above the current policy group. |
| Stick |
Moves the current policy group to the top. |
| Move up |
Moves the current policy group up by one position. |
| Move down |
Moves the current policy group down by one position. |
| Move to a specified position. |
Moves the current policy group to a specified position in the order. |
Table 13:Description of Policy Configuration Parameters
Application Control Policy:
On the Policy Configuration page, click Add. Then, the Add Application Control Strategy dialog box appears. The settings are as follows.
Basics:
Name: Enter a custom policy name.
Status: Set the policy status to Enabled or Disabled.
Description: Enter the description of the policy. This parameter is optional.
Policy Group: Select the policy group to which the policy belongs.
Position: Set the priority of the policy to enable it before or after a policy.
Tag: Select the policy tag. This parameter is optional and can be set for displaying a specified zone or filtering.
Source:
Src Zone: Select the source zone of the data to be controlled. By default, any is selected. It indicates that data from all zones need to be controlled.
Src Address: Select the source IP addresses or users to be controlled.
User/Group: Indicates user information obtained by navigating to User Authentication > User Management > Groups > Users.
Destination:
Dst Zone: Select the destination zone of the data to be controlled. By default, any is selected. It indicates that data from all zones need to be controlled.
Dst Address: Select the destination IP group of the data to be controlled. To control the data of LAN users accessing the internet, select All for the Dst Address parameter.
Services: Select services that need to be controlled. Services that you can select are the ones set on the Objects > Services page.
Applications: Select applications to be controlled. Application signatures are called by going to Objects > Content Signature Database > App Signature Database.
Both the Services and Applications parameters need to be filled in to match the policy.
Actions:
Action: Set whether to allow or deny the data packets meeting the defined conditions.
Schedule: Indicates a filter condition. The policy can take effect only if filtering is performed within a specified point in time. The time object defined on the Objects > Schedule page is called.
Advanced: Click Settings. Then, the Advanced dialog box appears. See the figure below.
Persistent Connection: This function only supports special servers with a persistent connection request. In this case, this request is not impacted by firewall timeout. If this function is enabled, the connection release slows down. The value can be 1 day to 15 days. Proceed with caution.
Logging: By default, the application control log function is not enabled. Before you set this advanced option, you need to navigate to System > Log Settings, enable Application Control Logs and select the path to save the application control log. Select Log events. Control behaviors will then be recorded to the storage path that you have selected. The large size of the application control log will degrade the read/write performance of system disks. We recommend that you store the log with an external data center or using the Syslog server.
Endpoint App Control Policy:
On the Policy Configuration page, click Add. Then, the Add Endpoint App Control dialog box appears. The settings are as follows.
Name: Enter a custom policy name.
Status: Set the policy status to Enabled or Disabled.
Description: Enter the description of the policy. This parameter is optional.
Policy Group: The endpoint app control policy will be set in Integration Policy Group.
Tag: Select the policy tag. This parameter is optional and can be set for displaying a specified zone or filtering.
Endpoints: Select the endpoint IP to be controlled. You can create the endpoint IP according to the endpoint list in SOC > Next-Gen Security > Endpoint Protection > Endpoints.
Applications: Select applications to be controlled. Application signatures are called by going to Objects > Content Signature Database > Endpoint app Signature Database.
Schedule: Indicates a filter condition. The policy can take effect only if filtering is performed within a specified point in time. The time object defined on the Objects > Schedule page is called.
Action: Set whether to allow or deny the data packets meeting the defined conditions.
Tags: Set related tag operations, including adding, editing, and deleting tags. See the figure below.
Log Reason for Policy Changes: After this parameter is enabled, you can record the reasons for adding or modifying a policy. If it is not enabled, only the content and type of change will be recorded. Click View to go to the Policy Lifecycle Management page.
Test Policy Match: Tests whether the policy matches based on the quintuple. See the figure below.
Check Policy Validity: Checks invalid policies.
Check Policy Conflict in Real-Time: Checks and alerts for conflicting policies in real-time while adding, modifying, or moving a policy in real-time. After this function is enabled, a delay may occur while loading a page when there are too many policies.
An enterprise does not allow R&D department personnel to use IM chat tools during working hours. When R&D personnel uses IM tools, the device will refuse the request. To implement this function, you need to add an application control policy on NGAF.
Operation Steps
Step 1.Navigate to Policy > Application Control Policy, and click Add. Then, the Add Application Control Policy dialog box appears.
The relevant parameters in the Basics section can be set as follows:
Name: Enter Allow RDP.
Status: Select Enabled.
Description: Enter custom descriptions, such as Personnel in R&D Department is not allowed to use IM.
Policy Group: Select a default policy group.
Position: Set the priority before the P2P download is limited.
Tag: Enter a customizable tag or select a default one.
Step 2.Select a custom LAN zone for the Src Zone parameter. For more information about how to define a zone, see Section 5.2 Zone. Select a custom R&D department for the Src Address parameter. For more information about how to define a user group, see Section 7.6.2 User Management.
If the user group is selected in the current policy, you need to enable the authentication function and configured relevant authentication policies. If the authentication policy is not enabled, this application control policy will not take effect.
Step 3.Set the parameters in the Destination section: Select WAN for the Dst Zone parameter, All for the Dst Address parameter, any for the Services parameter, and Remote Login/RemoteDesktop for the Applications parameter.
Step 4.Set the parameters in the Actions section: Select Allow for the Action parameter and All Week for the Schedule parameter. If you need to view the log, select Log events in the Advanced dialog box.
Step 5.Click Save. Then, the configuration is complete.
Step 6.After that, if the R&D department personnel use PCs to log in to the remote desktop, and they can log in to the remote desktop normally.
Step 7.Navigate to Monitor > Logs > Behavior Log to view details of denied logs.
The policy optimization function provides tips for the current application control policies that are unreasonably configured by performing a systematic analysis. In the situation of many application control policies configured, this function quickly optimizes the current application control policies for fine management and control based on the principle of minimizing the scope of the traffic allowed.
Click Start Analysis. Then, the system automatically performs a policy optimization analysis and generates a risk list shown in the above figure.
Click Ignore of the event to be optimized. Select to ignore the event to stop detecting the application control policy events in a certain period.
Click View in the Operation column of the event to be optimized. Details (suggested solutions) of the event are then displayed, as shown in the following figure:
Policy lifecycle management operates application control policies within the specified query range and records and displays policy changes for recording and traceability of routine maintenance.
Start Time: Set the start time of the changes to be queried.
End Time: Set the end time of the changes to be queried.
Policy: Set the application control policies of which the changes are to be queried. The default setting is to query the changes of all policies.
Operation Type: Set the types of changes to be queried, including Add, Edit, and Delete.
Account: Set the accounts of which the changes are to be queried. The default setting is to query the changes of all accounts.
After you set the preceding parameters, click Filter. Then, the following contents are displayed.
Export Logs: Exports the change query result as a table in the .cve format.
Export Options: Set the content to be displayed in the exported logs. By default, all contents of a log are to be exported. You can set the items that are not to be exported as required.
Log Details: Click View in the Operation column of the change records queried. Then, the details of the changes are displayed, as shown in the following figure.
{{ $t('index.defaultHeader.chromeBrowserTip') }}