Configuring Application Conditions and Filters

To build an application condition or filter, choose the applications whose traffic you want to control from a list of available applications. Optionally (and recommended), constrain the available applications using filters. You can use filters and individually specified applications in the same condition.

Before you begin

  • Adaptive profiling must be enabled (its default state) as described in Configuring Adaptive Profiles for access control rules to perform application control.

Procedure

Step 1

Invoke the rule or configuration editor:

  • Access control, decryption, QoS rule condition—In the rule editor, click Applications.
  • Identity rule condition—In the rule editor, click Realms & Settings and enable active authentication; see Create an identity rule.
  • Application filter—On the Application Filters page of the object manager, add or edit an application filter. Provide a unique Name for the filter.
  • Intelligent Application Bypass (IAB)—In the access control policy editor, click Advanced, edit IAB settings, then click Bypassable Applications and Filters.

Step 2

Find and choose the applications you want to add from the Available Applications list.

To constrain the applications displayed in Available Applications, choose one or more Application Filters or search for individual applications.

Tip

Click Information (import section icon) next to an application to display summary information and internet search links. Unlock marks applications that the system can identify only in decrypted traffic.

When you choose filters, singly or in combination, the Available Applications list updates to display only the applications that meet your criteria. You can choose system-provided filters in combination, but not user-defined filters.

  • Multiple filters for the same characteristic (risk, business relevance, and so on)—Application traffic must match only one of the filters. For example, if you choose both the medium and high-risk filters, the Available Applications list displays all medium and high-risk applications.

  • Filters for different application characteristics—Application traffic must match both filter types. For example, if you choose both the high-risk and low business relevance filters, the Available Applications list displays only applications that meet both criteria.

Step 3

Click Add Application or Add to Rule, or drag and drop.

Tip

Before you add more filters and applications, click Clear Filters to clear your current choices.

Step 4

(Access control rules only.) If destination ports are not specified on the Ports tab, select the Port for the applications.

The Port specification applies to all the applications in the list; it does not apply to any filters. You cannot specify different Port options for each application. If you already specified destination ports on the Ports tab, that selection is reflected in the application list, and you cannot make the following selection.

If you have not already specified destination ports for the rule, choose one of the following:

  • Application Default—The system looks at the default port only when evaluating traffic for an application match. Click the info button (i) to see what is considered the default for each application.

    When editing a rule, if the rule already has source ports, and you add an application that has an incompatible port and select Application Default port, you are warned. If you elect to use the application default port, the incompatible source port is removed.

  • Any—The system does not restrict the application identification based on the port used in the connection. If there are source ports specified on the Port tab, you might need to select this option to be able to save the rule.

Regardless of the option you select, if you subsequently configure any destination value on the Ports tab, the ports specified on the Ports tab override your selection here, and change the application port to Any. If you want to limit the rule to one, multiple, or a range of ports that are not the application default port, use the Ports tab.

This option does not apply to custom detectors.

Note

If the access control policy is assigned to devices running 7.x versions, the rule is handled differently if you have included applications that have different default ports. When you select to apply the rule to the default ports only, then for 7.7 systems, the rule is split into separate rules, one per application. For systems running versions 7.3-7.6, the rule is kept as a single rule, but the ports page is updated with each of the default ports. If you are managing devices running down-level FTD versions, and you want to use default port matching, we recommend that you limit the application’s list in each rule to applications that have the same default port.

Step 5

Save or continue editing the rule or configuration.

What to do next

  • Deploy configuration changes.