Application Patrol

Overview

Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).

If you want to use a service, make sure both the Security Policy and application patrol allow the service’s packets to go through the Zyxel Device.

Note: The Zyxel Device checks secure policies before it checks application patrol rules for traffic going through the Zyxel Device.

Application patrol examines every TCP and UDP connection passing through the Zyxel Device and identifies what application is using the connection. Then, you can specify whether or not the Zyxel Device continues to route the connection. Traffic not recognized by the application patrol signatures is ignored.

Application Profiles & Policies

An application patrol profile is a group of categories of application patrol signatures. For each profile, you can specify the default action the Zyxel Device takes once a packet matches a signature (forward, drop, or reject a service’s connections and/or create a log alert).

Use policies to link profiles to traffic flows based on criteria such as source zone, destination zone, source address, destination address, schedule, user.

Classification of Applications

There are two ways the Zyxel Device can identify the application. The first is called auto. The Zyxel Device looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match is correct. Before confirmation, packets are forwarded by App Patrol with no action taken. The number of packets inspected before confirmation varies by signature.

Note: The Zyxel Device allows the first eight packets to go through the security policy, regardless of the application patrol policy for the application. The Zyxel Device examines these first eight packets to identify the application.

The second approach is called service ports. The Zyxel Device uses only OSI level-4 information, such as ports, to identify what application is using the connection. This approach is available in case the Zyxel Device identifies a lot of “false positives” for a particular application.

Custom Ports for SIP and the SIP ALG

Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG to use the same port numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic.

Application Patrol Profile

Use the application patrol screens to customize action and log settings for a group of application patrol signatures. You then link a profile to a policy. Use this screen to create an application patrol profile, and view signature information. It also lists the registration status and details about the signature set the Zyxel Device is using.

Note: You must register for the AppPatrol signature service (at least the trial) before you can use it.

A profile is an application object(s) or application group(s) that has customized action and log settings.

Click the Application Patrol icon for more information on the Zyxel Device’s security features.

Configuration > Security Service > App Patrol
Label	Description
Add	Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove	Select an entry and click Remove to delete the selected entry.
References	Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen.
#	This field is a sequential value showing the number of the profile. The profile order is not important.
Name	This displays the name of the profile created.
Description	This displays the description of the App Patrol Profile.
Scan Option	This field displays the scan options from the App Patrol profile.
Reference	This displays the number of times an object reference is used in a profile.
Action	Click this icon to apply the entry to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result.
Signature Information	The following fields display information on the current signature set that the Zyxel Device is using.
Current Version	This field displays the App Patrol signature set version number. This number gets larger as the set is enhanced.
Signature Number	This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
Released Date	This field displays the date and time the set was released.
Update Signatures	Click this link to go to the screen you can use to download signatures from the update server.

Profile Action: Apply to a Security Policy

Click the icon in the Action field of an existing application patrol file to apply the profile to a security policy.

Go to the Configuration > Security Policy > Policy Control screen to check the result.

The following table describes the labels in this screen.

ServiceApp Patrol > Action
Label	Description
Show Filter/Hide Filter	Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters.
IPv4 / IPv6 Configuration	Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule.
From / To	Select a zone to view all security policies from a particular zone and/or to a particular zone. any means all zones.
IPv4 / IPv6 Source	Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
IPv4 / IPv6 Destination	Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Service	View all security policies based the service object used.
User	View all security policies based on user or user group object used.
Schedule	View all security policies based on the schedule object used.
Priority	This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. Default displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy.
Status	This icon is lit when the entry is active and dimmed when the entry is inactive.
Name	This is the name of the Security policy.
From / To	This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN. From any displays all the Security Policies for traffic going to the selected To Zone. To any displays all the Security Policies for traffic coming from the selected From Zone. From any to any displays all of the Security Policies. To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device.
IPv4 / IPv6 Source	This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
IPv4 / IPv6 Destination	This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies.
Service	This displays the service object to which this Security Policy applies.
User	This is the user name or user group name to which this Security Policy applies.
Schedule	This field tells you the schedule object that the policy uses. none means the policy is active at all times if enabled.
Action	This field displays whether the Security Policy silently discards packets without notification (deny), permits the passage of packets (allow) or drops packets with notification (reject)
Log	Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above.
Profile	This field shows you which Security Service profiles (application patrol, content filter, IDP, anti-malware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly.
OK	Click OK to save your changes back to the Zyxel Device.
Cancel	Click Cancel to exit this screen without saving.

Application Patrol Profile > Add/Edit - My Application

Use this screen to configure profile settings.

The following table describes the labels in this screen.

Configuration > Security Service > App Patrol > Add/Edit
Label	Description
General Settings
Name	Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012
Description	Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.
Total Category(s)	This field displays the total number of the selected category(ies) in the Query Result screen.
Total Application(s)	This field displays the total number of the selected applications in the Query Result screen.
Remove	Select an entry and click Remove to delete the selected entry.
Log	Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Action	Select the default action for all signatures in this category. forward - the Zyxel Device routes packets that matches these signatures. drop - the Zyxel Device silently drops packets that matches these signatures without notification. reject - the Zyxel Device drops packets that matches these signatures and sends notification.
#	This field is a sequential value showing the number of the profile. The profile order is not important.
Application	This field displays the application name of the policy.
Category	This field displays the category type of the application.
Tag	This field displays the tag information of the application.
Action	Select the default action for all signatures in this category. forward - the Zyxel Device routes packets that matches these signatures. drop - the Zyxel Device silently drops packets that matches these signatures without notification. reject - the Zyxel Device drops packets that matches these signatures and sends notification.
Log	Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Save & Exit	A profile consists of separate category editing screens. If you want to configure just one category for a profile, click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.
Cancel	Click Cancel to return to the profile summary page without saving any changes.
Save	If you want to configure more than one category for a profile, click Save to save your settings to the Zyxel Device without leaving this page.

Application Patrol Profile > Add/Edit - Query Result

search for certain applications within a specific category, and the selected applications will be added to My Application screenthen click Query Result The following table describes the labels in this screen.

Configuration > Security Service > App Patrol > Add/Edit Query Result
Label	Description
General Settings
Name	Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012
Description	Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.
Search Application(s) By Name	Enter a name to search for relevant applications.
Search Application(s) By Category	Select a category(ies) below to search for relevant applications.
Filter by Tags	Add or delete a tag(s) to display or not display an application(s).
#	This field is a sequential value showing the number of the profile. The profile order is not important.
Application	This field displays the application name of the policy.
Category	This field displays the category type of the application.
Tag	This field displays the tag information of the policy.
Action	Select the default action for all signatures in this category. forward - the Zyxel Device routes packets that matches these signatures. drop - the Zyxel Device silently drops packets that matches these signatures without notification. reject - the Zyxel Device drops packets that matches these signatures and sends notification.
Log	Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Add to My Application	Select an application(s) to show in the My Application profile screen.
Reset	Click this button to reset the fields to default settings.
Cancel	Click Cancel to return to the profile summary page without saving any changes.