2 what you need to know about application patrol – ZyXEL Communications 200 Series User Manual

Chapter 27 Application Patrol

ZyWALL USG 100/200 Series User’s Guide

444

27.1.2 What You Need to Know About Application Patrol

"

The ZyWALL checks firewall rules before it checks application patrol rules for
traffic going through the ZyWALL.

If you want to use a service, make sure both the firewall and application patrol allow the
service’s packets to go through the ZyWALL.

Application patrol examines every TCP and UDP connection passing through the ZyWALL
and identifies what application is using the connection. Then, you can specify, by application,
whether or not the ZyWALL continues to route the connection.

Configurable Application Policies

The ZyWALL has policies for individual applications. For each policy, you can specify the
default action the ZyWALL takes once it identifies one of the service’s connections.

You can also specify custom policies that have the ZyWALL forward, drop, or reject a
service’s connections based on criteria that you specify (like the source zone, destination zone,
original destination port of the connection, schedule, user, source, and destination
information). Your custom policies take priority over the policy’s default settings.

Classification of Applications

There are two ways the ZyWALL can identify the application. The first is called auto. The
ZyWALL looks at the IP payload (OSI level-7) and attempts to match it with known patterns
for specific applications. Usually, this occurs at the beginning of a connection, when the
payload is more consistent across connections, and the ZyWALL examines several packets to
make sure the match is correct.

"

The ZyWALL allows the first eight packets to go through the firewall,
regardless of the application patrol policy for the application. The ZyWALL
examines these first eight packets to identify the application.

In the second approach (called service ports). The ZyWALL uses only OSI level-4
information, such as ports, to identify what application is using the connection. This approach
is available in case the ZyWALL identifies a lot of “false positives” for a particular
application.

Bandwidth Management

When you allow an application, you can restrict the bandwidth it uses or even the bandwidth
that particular features in the application (like voice, video, or file sharing) use. This restriction
may be ineffective in certain cases, however, such as using MSN to send files via P2P.