SonicOS Application Firewall Configuration Examples

This technote describes practical usage examples with the SonicOS Application Firewall (AF) feature
introduced in SonicOS Enhanced 4.0.

The Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0 and higher releases provides
network administrators deep visibility of the various types of network traffic traversing the firewall, and
provides a powerful tool for granularly controlling it.

1
The specific AF practical examples presented in this document are:

Fingerprint - Prevent a document that contains a specific fingerprint (e.g. embedded corporate watermark)
from being transferred out of the network.

Bandwidth Throttling on a global basis – Detect and apply bandwidth throttling to streaming media on a
global basis (all users).

Bandwidth management on per group basis – Detect and apply individualized bandwidth management
(throttling & guarantees) to streaming media on a per group basis.

Forbidden file type - Prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up
or downloaded.

Disallowing all unnecessary commands - Enhance the security of public facing FTP servers by disallowing
all unnecessary commands.

Disallowing HTTP POST method - Enhance the security of public facing read-only HTTP servers by
disallowing HTTP POST method.

Block web browsers/applications - Block the usage of all non-sanctioned web browsers/applications on the
network.
AF Objects, Applicable Policy Types and Usage Example Table- Provides a matrix of Application Firewall
Objects, Applicable Policy Types and Usage Examples and their relationships.

At the end of this document you’ll find and an object and usage matrix that will summarize the AF
components.

1
The examples and screenshots in this document are shown using SonicOS Enhanced 5.0 running on an E-CLASS NSA. These
examples are applicable to SonicOS Enhanced 4.0 running on SonicWALL PRO Series.
2

Fingerprint
To prevent documents which contain a specific fingerprint (e.g. embedded corporate watermark) from being
transferred out of the network, perform the following steps:
SonicWALL_Logo.gif

1. Create a new Word Document and name it ‘ApplicationFirewall_Test.doc’.
2. Create a custom Watermark using the ‘SonicWALL_Logo.gif file embedded above in this document
(Specific steps will vary based on MS Office version). Save the document.
3. Run the XVI32 hex-editor tool. You can download it here:
http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip. Navigate to the
‘SonicWALL_Logo.gif’ file and open it.
4. Select ‘Edit>Block <n> chars…’ then select the ‘decimal’ option then type 50 in the space provided,
this will mark the first 50 characters in the file which is sufficient to generate a unique “thumbprint” for
use in a Custom Application Object. It should look like the following screenshot.

5. Select ‘Edit>Clipboard>Copy as hex string’.
6. Open Notepad then paste the string you just copied into it. It should look like the following screenshot.

3
7. Next select ‘Edit > Replace…’ and in the dialog box that opens under ‘Find What’ press the space
bar once then click ‘Replace All’. This intermediary step is necessary to remove all the spaces from
the Hex string. It should now look like the following screenshot.

8. Select ‘Edit > Select All’ then ‘Edit > Copy’.
9. In the SonicWALL GUI navigate to ‘Application Firewall > Application Objects’ then click ‘Add
New Object’. Create an Application Object like the one shown below:

4
10. Navigate to ‘Application Firewall > Actions’ and click ‘Add New Action’. Create an action like the
one shown in the following screenshot.


5
11. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.

Testing
To test this policy attempt to email the ‘AppFirewall_Test.doc’ you created. You should see an Alert similar
to the one below in the log:


6
Bandwidth Throttling on a Global Basis
To detect and apply bandwidth throttling to streaming media on a global basis (all users), perform the
following steps:

1. Open Internet Explorer and go to the following site: http://www.klif.com/listen.asp
2. Open Wireshark Network Analyzer and start a capture. You can download a copy of Wireshark here:
http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe
3. Click where it says:

4. Once you hear audio stop the capture and close the streaming radio player.
5. In Wireshark select ‘Edit > Find Packet’ select ‘By: String’ and ‘Search in Packet Details’. In filter
type: ‘Content-Type: application/sdp’ then click ‘Find’. See screenshot below:


7
6. Wireshark will jump to the first frame that contains the requested data. You should see something like
the screenshot below. This indicates that the server will be sending a MIME Content-Type of
application/sdp (RTSP). Application Firewall can dynamically detect any MIME type and perform the
prescribed action. In this case we will throttle the bandwidth.
Note: Although the example here is for just one MIME type you can use a similar procedure to
identify MIME types for other types of media and data transferred over HTTP. The IANA maintains a
database of all registered MIME types here: http://www.iana.org/assignments/media-types



7. Navigate to ‘Application Firewall > Application Objects’ and create and object like the one in the
following screenshot.

8
8. Navigate to ‘Application Firewall > Actions’ and create and action like the one shown in the
following screenshot.
Note: In order to complete this step Bandwidth Management must be enabled on the firewall. Please
refer to the SonicOS Enhanced Administrator’s Guide for detailed steps on how to do this. You can
download the guide here:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf


9
9. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.

10
Testing
To test this policy repeat steps 1 & 3 again to listen to the streaming radio. You should see alerts similar to
the ones shown below in the log.



To verify the effectiveness of AF bandwidth management, try adjusting the ‘Maximum Bandwidth’ value in
the ‘Bandwidth - Throttle’ action to larger and smaller values. You should hear a marked
improvement/degradation in the audio quality demonstrating that that the bandwidth throttling is working as
expected.

Note: The application object we created in step 7 contains MIME types for other streaming media
sites such as http://www.youtube.com and http://www.pandora.com Feel free to try these out as well.
11


Bandwidth Management on a per Group Basis
To detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a
per group basis, perform the following steps:

This example builds on the previous one by demonstrating how AF policies can be configured so that
they only apply to the specified included user groups or conversely; so they apply to everyone except
for excluded groups. This example also serves to demonstrate how AF can leverage the firewalls
LDAP integration capabilities along with Single Sign On (SSO). Descriptions of the various
authentication components are used in these examples and corresponding screenshots.


Prerequisites: This example assumes you have already enabled and properly configured LDAP
authentication and SSO on the firewall and the workstation you will use to test from is a member of
the domain. You will also need SonicWALL CFS enabled on the LAN zone so that SSO
authentication will occur. Please refer to the SonicOS Enhanced Administrator’s Guide for detailed
steps on how to do these tasks. You can download the guide here:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf


User Login Settings



12
LDAP Schema (Microsoft AD)

13

Domain Name (sonicwall-central.com)



14
Validation of LDAP authentication functionality and group assignment



15

LDAP Groups imported into firewall Local Groups (snwl-Managers & snwl-Sales)



Validation of SSO functionality
Login to test workstation twice; once as user who is a member of the ‘snwl-Managers’ and of the snwl-Sales
group. Open a new browser each time.

The screenshot below shows that both users were authenticated by SSO and the bubble is showing that user
‘Paul’ is a member of the user group ‘snwl-Managers’. User Syya is a member of the ‘snwl-Sales’ group.


16
1. Navigate to ‘Application Firewall > Actions’ and create a new action, like the one shown in the following
screenshot.

17
2. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.

18
3. Edit the policy you created in the previous step so that it includes the ‘snwl-Sales’ group and excludes
the ‘snwl-Managers’ group. Refer to the following screenshot.

19
Testing
To test this policy login as a member of the ‘snwl-Managers’ group go to www.youtube.com and watch any
video. Notice the quality. Next login as a member of the ‘snwl-Sales’ group and repeat the exercise. You
should see a marked degradation in the video quality. The corresponding log messages are shown in the
following screenshot. Notice the two different policies being invoked; one for “manager use” that guarantees
bandwidth and the other that throttles it.


Because the application object we created in the previous step included the MIME type for .exe file transfers
(application/octect-stream) another good test you can perform to quantify the effectiveness of AF is to
download the Wireshark application we used in the first step:
http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe When logged in as a member of
the ‘snwl-Managers’ group you should increase in throughput as opposed to when logged in as a member of
‘snwl-Sales’.
20

Forbidden File Types
To prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded,
perform the following steps:

1. Navigate to ‘Application Firewall > Application Objects’ and click ‘Add New Object’. Create an
object like the one shown below:

2. Navigate to ‘Application Firewall > Actions’ and click ‘Add New Action’. Create an action like the
one shown in the following screenshot.


21
3. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.

22
Testing
To test this policy open a web browser and try and download any of the file types specified in the Application
Object (exe, vbs, scr). Below are a few URL’s you can try:

http://download.skype.com/SkypeSetup.exe
http://us.dl1.yimg.com/download.yahoo.com/dl/msgr8/us/msgr8us.exe
http://g.msn.com/8reen_us/EN/INSTALL_MSN_MESSENGER_DL.EXE

You will see an alert similar to the one shown in the following screenshot in the log.

23

Disallowing All Unnecessary Commands
To enhance the security of public facing FTP servers by disallowing all unnecessary commands, perform the
following steps:

1. Navigate to ‘Application Firewall > Application Objects’ and click ‘Add New Object’. Create an
object like the one shown in the following screenshot.

2. Navigate to ‘Application Firewall > Actions’ and click ‘Add New Action’. Create an action like the
one shown in the following screenshot.


24
3. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.


Testing
To test this policy you will need to setup an FTP server inside your firewall and create the appropriate security
policy to allow external access. Afterwards issue one of the forbidden commands. You will see an alert similar
to the one shown below in the log.


25

If you don’t have access to an FTP server but would like to see this policy in action, go to ftp.sonicwall-
central.com and attempt to execute one of the forbidden FTP commands.

Disallowing HTTP POST Method
To enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method, perform
the following steps:

1. Using Notepad, create a new document called Post.htm that contains the HTML code below and save
it to your desktop:
<FORM action="http://www.yahoo.com/" method="post">
<p>Please enter your name: <input type="Text" name="FullName"></p>
<input type="submit" value="Submit"><INPUT type="reset">

2. Open Wireshark Network Analyzer and start a capture. Open the form you just created type in your
name and click ‘Submit’. Stop the capture.
3. Using Wiresharks’s ‘Edit> Find Packet’ function, search for the string ‘POST’. See the following
screenshot for details.


26
4. Wireshark will jump to the first frame that contains the requested data. You should see something like
the screenshot below. This indicates that the HTTP POST method is transmitted immediately after
the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload
(HTTP application layer). We will use that information to create a custom application firewall object
that detects the HTTP POST method in the following step.

5. In the SonicWALL GUI navigate to ‘Application Firewall > Application Objects’ then click ‘Add
New Object’. Create an Application Object like the one shown in the following screenshot. Notice that
in this particular application object we are using the ‘Enable Settings’ feature which allows you to
create objects that look for a match in a specific part of the payload. ‘Offset’ specifies which byte in
the payload Application Firewall should start matching. ‘Depth’ specifies at what byte to stop
matching. ‘Min’ & ‘Max’ allow you to specify a minimum and maximum payload size.

27
6. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown in the following screenshot.


Testing
To test open the Post.htm document you created earlier type in your name and click ‘Submit’. The
connection should drop this time and you should see an alert in the log similar to the one below.

28

Block Web Browsers/Applications
To block the usage of all non-sanctioned web browsers/applications on the network, perform the following
steps:

1. Navigate to ‘Application Firewall > Application Objects’ and click ‘Add New Object’. Create an
object like the one shown below. Notice the use of ‘Enable Negative Matching’ in this case which
allows us to explicitly specify the allowed User Agent(s) (e.g. Internet Explorer – all versions in this
case) while implicitly denying all others.

29
2. Navigate to ‘Application Firewall > Actions’ and click ‘Add New Action’. Create an action like the
one shown below:


30
3. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the
one shown below:


Testing
To test this policy, attempt to access a website using any browser other than Internet Explorer.

Note: If you do not have another browser type available, uncheck the ‘Enable Negative Matching’
option in step 1 and try with Internet Explorer.
31

AF Objects, Applicable Policy Types and Usage Example Table
No
Application
Object
Description Valid Policy Type(s) Usage Example
1
ActiveX ClassID An application object that
allows the enumeration of
the Class ID of an Active-
X component.
HTTP Server
(Response)
Good for preventing some online games,
music sites and other applications based on
ActiveX controls. (e.g. Flash & Shockwave).
2
Custom Object An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match any
part of the TCP or UDP
payload.
Custom Policy
FTP Client (Request)
HTTP Client (Request)
HTTP Server
(Response)
POP3 Client (Request)
POP3 Server
(Response)
SMTP Client (Request)
Prevent file which contains a specific
fingerprint (e.g. embedded corporate
watermark) from being transferred out of the
network.

Detect applications, file downloads and
other Internet activities using corresponding
MIME types and apply bandwidth limits to
them.
3
Email Body An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in the SMTP or
POP3 message body.
POP3 Server
(Response)
SMTP Client (Request)
Block emails which contain certain
keywords in the body.
4
Email CC An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in the SMTP or
POP3 message ‘CC:’
field.
POP3 Server
(Response)
SMTP Client (Request)
Block emails destined to specific users
and/or domains indicated in the “CC:” field.
5
Email From An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in the SMTP or
POP3 message ‘From:’
field.
POP3 Server
(Response)
SMTP Client (Request)
Block emails from specific users and/or
domains indicated in the “From:” field.
6
Email Size An application object that
allows the maximum
email size that can be
sent to be specified.
SMTP Client (Request) Block email with attachments that exceed a
specified size.
32
7
Email Subject An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in the SMTP or
POP3 message
‘Subject:’ field.
POP3 Server
(Response)
SMTP Client (Request)
Block emails which contain certain
keywords in the “Subject:” field.
8
Email To An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in the SMTP or
POP3 message ‘To:’
field.
POP3 Server
(Response)
SMTP Client (Request)
Block emails destined to specific users
and/or domains indicated in the “To:” field.
9
MIME Custom
Header
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
content in an SMTP or
POP3 message custom
MIME header.
POP3 Server
(Response)
SMTP Client (Request)
Block emails which contain a specified
custom MIME field(s).
10
File Content An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match the
contents of a file being
transferred via FTP or
SMTP. The pattern will be
matched even if the file is
compressed.
FTP Data Transfer
Policy
SMTP Client (Request)
Block FTP or SMTP transfers of a
confidential file.
33
11
File Extension An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
represent file extensions.

For POP3 or SMTP,
extensions of
attachments will be
matched.

For HTTP, extensions of
uploaded attachments
(Web mail) will be
matched.

For FTP, extensions of
uploaded or downloaded
files will be matched.
FTP Client File
Download (Request)
FTP Client File Upload
(Request)
HTTP Client (Request)
POP3 Server
(Response)
SMTP Client (Request)
Prevent risky or forbidden file types (e.g.
.exe, vbs, scr, dll, avi, mov, etc) from being
up or downloaded.
12
File Name An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
represent file names.

For POP3 or SMTP,
attachment file names will
be matched.

For HTTP, file names of
uploaded attachments
(Web mail) will be
matched.

For FTP, file names of
uploaded or downloaded
files will be matched.
FTP Client File
Download Request
FTP Client File Upload
Request
HTTP Client (Request)
POP3 Server
(Response)
SMTP Client (Request)
Prevent files with specified names from
being up or downloaded.
13
FTP Command An application object that
allows enumeration of
FTP commands.
FTP Client (Request) Enhance the security of public facing FTP
servers by disallowing all unnecessary
commands.
34
14
FTP Command
+Value
An application object that
allows enumeration of
FTP commands with an
additional alphanumeric
or hexadecimal string(s)
that represents a specific
parameter (e.g. DELETE
word.doc)
FTP Client (Request) Allow users read/write access to FTP
servers while selectively blocking the
deletion or overwriting of specified files
and/or folders
15
HTTP Set
Cookie
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
cookies sent by web
servers.
HTTP Server
(Response)
Enhance security by blocking specified
cookies sent by web servers
16
HTTP Host An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
hostnames contained
within the URI of an
HTTP request.
HTTP Client (Request) Yet another way to block access to
websites...
17
HTTP Referer An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
hostnames of referring
servers contained in
HTTP requests.
HTTP Client (Request) Block access to sites based upon the FQDN
of the host that referred it
18
HTTP Request
Custom Header
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
custom HTTP headers
contained in HTTP client
(browser) requests.
HTTP Client (Request) Enhance Security by controlling browser
requests which include custom headers.

35
19
HTTP
Response
Custom Header
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
custom HTTP headers
contained in HTTP (web)
server responses
HTTP Server
(Response)
Enhance Security by controlling data
received from web servers in custom HTTP
headers
20
HTTP Cookie An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match
cookies sent by browsers.
HTTP Client (Request) Enhance security by preventing certain
cookies from being sent by the browser
21
HTTP URI
Content
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match any
content found inside of
the URI in an HTTP
request
HTTP Client (Request) Prevent HTTP downloads of forbidden file
types.
Prevent access to a variety of web content
based on information in the URI
22
HTTP User
Agent
An application object that
allows enumeration of
alphanumeric or
hexadecimal strings that
can be used to match any
content inside the User-
Agent header (e.g. MSIE)
HTTP Client (Request) Block the usage of all non-sanctioned web
applications on the network
23
Web Browser An application object that
allows enumeration of the
various textual strings
that can be used to match
the name various
browsers use to identify
themselves. This
information is contained
in the User-Agent header
of an HTTP GET request.
HTTP Client (Request) Block the usage of all non-sanctioned web
browsers on the network

36

AF Actions & Applicable Policy Types
Action Applicable Policy Type(s)
Bandwidth Management Custom
FTP Client
Upload/Download
HTTP Client
HTTP Server
Block SMTP E-Mail – Send Error
Reply
SMTP Client
Block SMTP E-Mail Without Reply SMTP Client
Bypass DPI Custom
FTP Client
FTP Client
Upload/Download
FTP Data Transfer
HTTP Client
HTTP Server
POP3 Client
POP3 Server
SMTP Client
Disable Email Attachment – Add
Text
SMTP Client
Email – Add Text SMTP Client
FTP Notification Reply FTP Client
FTP Client
Upload/Download
HTTP Block Page HTTP Client
HTTP Redirect HTTP Client
No Action Custom
FTP Client
FTP Client
Upload/Download
FTP Data Transfer
HTTP Client
HTTP Server
POP3 Client
POP3 Server
SMTP Client
37
Reset/Drop Custom
FTP Client
FTP Client
Upload/Download
FTP Data Transfer
HTTP Server
HTTP Client
POP3 Client
POP3 Server
SMTP Client

















Document Edited: 11/21/07

Sign up to vote on this title
UsefulNot useful