Application Patrol
 
Application Patrol
Overview
Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers). You can also configure bandwidth management with application patrol in the Configuration > BWM screen for traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.
If you want to use a service, make sure both the Security Policy and application patrol allow the service’s packets to go through the Zyxel Device.
Note: The Zyxel Device checks secure policies before it checks application patrol rules for traffic going through the Zyxel Device.
Application patrol examines every TCP and UDP connection passing through the Zyxel Device and identifies what application is using the connection. Then, you can specify whether or not the Zyxel Device continues to route the connection. Traffic not recognized by the application patrol signatures is ignored.
Application Profiles & Policies
An application patrol profile is a group of categories of application patrol signatures. For each profile, you can specify the default action the Zyxel Device takes once a packet matches a signature (forward, drop, or reject a service’s connections and/or create a log alert).
Use policies to link profiles to traffic flows based on criteria such as source zone, destination zone, source address, destination address, schedule, user.
Classification of Applications
There are two ways the Zyxel Device can identify the application. The first is called auto. The Zyxel Device looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match is correct. Before confirmation, packets are forwarded by App Patrol with no action taken. The number of packets inspected before confirmation varies by signature.
Note: The Zyxel Device allows the first eight packets to go through the security policy, regardless of the application patrol policy for the application. The Zyxel Device examines these first eight packets to identify the application.
The second approach is called service ports. The Zyxel Device uses only OSI level-4 information, such as ports, to identify what application is using the connection. This approach is available in case the Zyxel Device identifies a lot of “false positives” for a particular application.
Custom Ports for SIP and the SIP ALG
Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG to use the same port numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic.
You must configure services in Objects > Application.
Application Patrol Profile
Use the application patrol Profile screens to customize action and log settings for a group of application patrol signatures. You then link a profile to a policy.Use this screen to create an application patrol profile, and view signature information. It also lists the registration status and details about the signature set the Zyxel Device is using.
Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it.
A profile is an application object(s) or application group(s) that has customized action and log settings.
 
Configuration > UTM Profile > App Patrol > Profile
Label
Description
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
Select an entry and click Remove to delete the selected entry.
References
Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen.
#
This field is a sequential value showing the number of the profile. The profile order is not important.
Name
This displays the name of the profile created.
Description
This displays the description of the App Patrol Profile.
Scan Option
This field displays the scan options from the App Patrol profile.
Reference
This displays the number of times an object reference is used in a profile.
Service
You need to create an account at myZyxel, register your Zyxel Device and then subscribe for App Patrol in order to be able to download new packet inspection signatures from myZyxel. There’s an initial free trial period for App Patrol after which you must pay to subscribe to the service. See the Registration chapter for details.
Service Status
This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service.
If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license.
Then, click Activate to connect with the myZyxel server to activate the new license.
Service Type
This field shows Trial, Standard or None depending on whether you subscribed to the App Patrol trial, bought an iCard for App Patrol service or neither.
Signature Information
The following fields display information on the current signature set that the Zyxel Device is using.
Current Version
This field displays the App Patrol signature set version number. This number gets larger as the set is enhanced.
Released Date
This field displays the date and time the set was released.
Update Signatures
Click this link to go to the screen you can use to download signatures from the update server.
Application Patrol Profile Add/Edit
Use this screen to configure profile settings.
 
Configuration > UTM Profile > App Patrol > Profile > Add/Edit 
Label
Description
General Settings
 
Name
Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Description
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.
Profile Management
 
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Remove
Select an entry and click Remove to delete the selected entry.
#
This field is a sequential value showing the number of the profile. The profile order is not important.
Application
This field displays the application name of the policy.
Action
Select the default action for all signatures in this category.
forward - the Zyxel Device routes packets that matches these signatures.
drop - the Zyxel Device silently drops packets that matches these signatures without notification.
reject - the Zyxel Device drops packets that matches these signatures and sends notification.
Log
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
OK
A profile consists of separate category editing screens. If you want to configure just one category for a profile, click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Application Patrol Profile Rule Add Application
 
Configuration > UTM Profile > App Patrol > Profile > Profile Management > Add/Edit  
Label
Description
General Settings
 
Application
Select an application to apply the policy.
Action
Select the default action for all signatures in this category.
forward - the Zyxel Device routes packets that matches these signatures.
drop - the Zyxel Device silently drops packets that matches these signatures without notification.
reject - the Zyxel Device drops packets that matches these signatures and sends notification.
Log
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
OK
Click OK to save your settings to the Zyxel Device.
Cancel
Click Cancel to return to the profile summary page without saving any changes.