Use case of application control

Hi,

I must allow Webex on my Firebox(M570). (And probably other applications using different ports in the future)

For Webex, i have to open ports 5004 UDP/TCP and 9000 UDP.

I don't like to open ports. Each conference tool has custom ports and if i allow them all, i have a lot of open ports, which i think is not safe : some trojan/virus could use it to connect to the outside.

For the specific case Webex, i had the idea to create the following rule :

  • Webex
  • Port 5004 tcp, port 5004 udp, port 9000 udp (http rules are already covered by previous rules)
  • From : any-trusted
  • To : any-external : to be sure i don't miss an ip or fqdn
  • Application Control :

Allow only Webex, drop the others, and drop if traffic isn't matching any application.

Is it a good idea ?

Cheers

Comments

  • Since we have no knowledge of what App Control uses to identify any specific app, it is hard to know it this will work as desired or not.

  • The Webex documentation does specify particular IP ranges if you want to further limit your firewall policy (https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services).

    In any event you'll need more than just those two ports open outbound.

    Assuming it is a whitelist type setup where only specific destinations/apps are permitted access outbound, there is only so much you can do with application control but you could give it a try (noting you'd need to have more than those two ports in said policy).

  • Thank you guys for your input !

    I hope some Watchguard representative could explain us more deeply App Control.

    There are gaps in the WatchGuard documentation. It's the same for the IPS, we don't really know how it works.

    For the IP ranges, it's more wildcards FQDN. But with CDN, ip ranges are rare now. I had my issues with FQDN.

    The doc is not 100% clear or updated. I have 3 DNS, the doc says it sniffs only the first DNS server. But the 12.9 changelog says "The Firebox now uses secondary DNS resolvers when it resolves host names specified in FQDN policy objects. [FBX-22056]", but i don't know if i applies to wildcards and doesn't seem to work consistently.

    Thanks again, i will give a shot to app control to see if it works as expected :-)

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @EricP
    Application control doesn't use DNS at all.

    Application control can be applied to policies and uses signature based definitions to match against known traffic.

    FQDNs can be used in policies, and the firewall will attempt to snoop the DNS servers via DNS traffic that traverses the firewall. (This works best for distributed CDNs and similar that report many IPs.) The firewall also attempts to use various forward and reverse lookups, but this is less accurate as the result is often different.

    If you're having trouble getting an FQDN policy to match, the best thing most customers can do is to ensure that the DNS traffic is traversing the firewall (from one interface to another) vice to a local server or similar.

    If you're running into an issue, I'd suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.