Thursday, June 13, 2013

SonicWall - How to Block Farmville in Facebook From a Specific User Using the Application Firewall

SonicWall - How to Block Farmville in Facebook From a Specific User Using the Application Firewall
Introduction
At times, administrators may want to block specific games in Facebook, like Farmville, from being used by a specific user.
Prerequisites
  • SonicOS 5.8.0.2 or greater
  • Licensing for Application Firewall
  • Licensing for DPI-SSL
  • One of the following SonicWALL Security Appliance Platforms:
    • TZ 215
    • NSA 220
    • NSA 240
    • NSA 250M
    • NSA 2400
    • NSA 3500
    • NSA 3600
    • NSA 4500
    • NSA 4600
    • NSA E5500
    • NSA 5600
    • NSA E6500
    • NSA 6600
    • NSA E7500
    • NSA E8500
    • NSA E8510
Components Used
The information in this document is based on the SonicOS 5.8.1.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.



Configure the Firewall
In this section, you are presented with the information to configure the Firewall to block specific games in Facebook, like Farmville, from being used by a specific user named Al Dente.
The first two steps are to enable Application Rules on a global level and on a local zone level.  Enabling Application Rules globally turns it on for the whole firewall, but Application Rules will not work for a user until it is turned on locally on the network zone that the user’s computer is connected to.
The next step is to enable DPI-SSL.  This enables the firewall to do Deep Packet Inspection of Secure Socket Layer traffic.  SonicWall does this by becoming a “Man-in-the-middle” by capturing the incoming SSL traffic, decrypting that traffic, scanning that traffic, re-encrypting the traffic with its own certificate, and then sending the traffic downstream.  Facebook and Farmville run over SSL and therefore require DPI-SSL in order to scan and block that traffic.
Application Rules can be applied to users, groups, or globally.  In this example, we chose to apply this policy only to an individual named Al Dente.  SonicWall can look up users and groups in both the local user database and Microsoft Active Directory.  Al Dente is a user that exists in Windows Active Directory.
SonicWall groups all of its Application Signatures into groups of Applications.  Applications are then grouped into Categories.  
Farmville App Signatures are grouped into the “Farmville” Application group.  The Farmville Application group is included in the “Gaming” Category.  
There are 4 Application signatures that apply to the Farmville Application.  You must add all 4 signatures to this Match Object so that the firewall knows what to look for.  
Farmville has 4 Application signatures:
  • Facebook App – ID 3969
  • Facebook App 2 – ID 5912
  • Facebook App 3 – ID 7036
  • Facebook App HTTPS – ID 7213
For other Application Signatures that are on the SonicWall firewall, you can look up which Category group and Application group an Application Signature is in by using the search engine on the following page:  https://software.sonicwall.com/applications/app/index.asp?ev=cat

Configuration Stages
There are five stages to this configuration process:
  1. Stage I – Enable App Rules Global Setting on the Firewall
  2. Stage II – Enable App Rules Local Setting on the LAN Zone
  3. Stage III – Enable DPI-SSL for the Application Firewall
  4. Stage IV – Create Match Object
  5. Stage V – Create App Rule to Block User Al Dente from Using Farmville
Other items included in this article:
  1. How to Test
  2. How to Troubleshoot
  3. Related Resources






  1. Stage I - Enable App Rules Global Setting on the Firewall
Complete these steps in the GUI in order to enable the App Rules Global setting on the firewall.  Enabling Application Control globally turns it on for the whole firewall.
  1. Navigate to Firewall > App Rules.




  1. Check the box next to Enable App Rules to enable App Rules globally.




  1. Stage II - Enable App Rules Local Setting on the LAN Zone
After it is turned on globally, Application Rules will not work for a user until it is turned on locally on the network zone that the user’s computer is connected to.  Complete these steps in the GUI in order to enable the App Control local setting on the LAN zone of the firewall.

  1. Navigate to Network > Zones.







  1. In the LAN zone, click on the Configure button.






  1. Check the box next to Enable App Control Service.









  1. Click the OK button.




  1. Confirm that App Control is enabled on the LAN zone by viewing the green check mark under the App Control column in the LAN row.




  1. Stage III - Enable DPI-SSL for the Application Firewall
The next step is to enable DPI-SSL.  This enables the firewall to do Deep Packet Inspection of Secure Socket Layer traffic.  SonicWall does this by becoming a “Man-in-the-middle” by capturing the incoming SSL traffic, decrypting that traffic, scanning that traffic, re-encrypting the traffic with its own certificate, and then sending the traffic downstream.  Facebook and Farmville run over SSL and therefore require DPI-SSL in order to scan and block that traffic.
Complete these steps in the GUI in order to enable DPI-SSL for the Application Firewall.
  1. Navigate to DPI-SSL > Client SSL.





  1. Check the box next to Enable SSL Client Inspection then check the box next to Application Firewall.




  1. Click the Accept button to apply these changes to the firewall.  This might require a reboot of the firewall.






  1. Stage IV - Create Match Object
Complete these steps in the GUI in order to create the Match Object.  The Match Object is the application firewall signature that the application firewall is looking to match against.  
  1. Navigate to Firewall > Match Objects.











  1. Click on the Add New Match Object button.





  1. On the Match Object Settings page, select the following:
  • Object Name: Block Farmville Object (type this in)
  • Match Object Type: Application Signature List
  • Application Category: GAMING (48)
  • Application: GAMING Farmville (1349)

Note:  SonicWall groups all of its Application Signatures into groups of Applications.  Applications are then grouped into Categories.  
Farmville App Signatures are grouped into the “Farmville” Application group.  The Farmville Application group is included in the “Gaming” Category.  
For other Application Signatures that are on the SonicWall firewall, you can look up which Category group and Application group an Application Signature is in by using the search engine on the following page:  https://software.sonicwall.com/applications/app/index.asp?ev=cat




  1. There are 4 Application signatures that apply to the Farmville Application.  You must add all 4 signatures to this Match Object so that the firewall knows what to look for.  

Choose the following Application Signatures and add them to the List:
  • GAMING Farmville – Facebook App (3969)
  • GAMING Farmville – Facebook App 2 (5912)
  • GAMING Farmville – Facebook App 3 (7036)
  • GAMING Farmville – Facebook App HTTPS (7213)







  1. Click the OK button.





  1. Verify that your match object was created correctly by moving the cursor over the “info” button.





  1. Stage V - Create App Rule to Block User Al Dente from Using Farmville
Complete these steps in the GUI in order to create the App Rule Policy.  The App Rule Policy is a policy that uses a Match Object and ties it to an Action Object.  
  1. Navigate to Firewall > App Rules.





  1. Click on the Add New Policy button.





  1. In App Control Policy Settings, select the following:
  • Policy Name: Block Farmville Policy (type this in)
  • Policy Type: App Control Content
  • Address: Any
  • Match Object: Block Farmville Object
  • Action Object: Reset/Drop
  • Users/Group: al_dente
Note:  App Control Policy Settings field selection definitions:
  • Policy Name – This is the name that you provide for the policy
  • Policy Type – the type of policy
  • Address – IP Address or group of IP addresses that we are applying this policy to
  • Match Object – what the firewall is looking for.
  • Action Object – action that the firewall will take once it finds the match object
  • Users/Group – user or group that this App Rule applies to



  1. Click the OK button




  1. Confirm that the policy is created correctly on the App Rules main page.




  1. How to Test
Complete these steps in order to test the Application Firewall configuration.
  1. Log into the network as the user Al Dente.





  1. Login to www.facebook.com,




  1. Click on the Farmville game. 



  1. The connection will be dropped and you will get the following page.







  1. Log into the SonicWall firewall and navigate to Log > View.  You will see the following Alert messages on the SonicWall firewall log.

 





  1. How to Troubleshoot
Check the following items in order to troubleshoot this configuration:

Symptom

Resolution
No Application Firewall Licensing
Purchase Application Firewall License from your Dell SonicWall rep.

Block Farmville Application Rule is in place and Application Rules is enabled globally, but Farmville is not being blocked.
Enable Application Control on the local network zone.

Block Farmville Application Rule is in place and Application Control is enabled locally on the LAN Zone, but Farmville is not being blocked.
Enable Application Rules globally

When opening a web browser, you keep getting Certificate errors.
This is due to how DPI-SSL works.  Because it re-encrypts the traffic with its own certificate, and that certificate is not a publically accepted certificate, your web browser will not recognize it and then give you the certificate errors.  You can prevent this by installing the SonicWall Firewall’s certificate in your web browser as a “Trusted” certificate.  This will resolve this issue.









  1. Related Resources
SonicWall OS 5.8.1 Administrator’s Guide
UTM: Using Application Firewall to Bandwidth Limit Bittorrent https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4426

UTM: Using SonicOS 5.8 and App Rules for Granular Control of Access to Facebook https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8934

For other Application Signatures that are on the SonicWall firewall, you can look up which Category group and Application group an Application Signature is in by using the search engine on the following page:  https://software.sonicwall.com/applications/app/index.asp?ev=cat

UTM: Integrating LDAP/Active Directory with Sonicwall UTM Appliance https://www.fuzeqna.com/sonicwallkb/ext/kb7806-utm-integrating-ldapactive-directory-with-sonicwall-utm-appliance?mode=searchresults






Last Updated on 5/23/2013
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)