Using Applications
Overview
Applications are networked services that run in the internal network or on the internet. Application definitions are a way to attach a business relevancy to all traffic that goes through your network. A separate application definition allows you to configure multiple rules using the same application.
Application definitions also let you group applications, so that you can configure and reuse a single rule for multiple applications with similar characteristics and requirements. Using an application group means that you don’t have to repeat the application definition for each rule, which can reduce the number of rules significantly.
You can regulate access to applications using policy rules, as described in
Policy controls.
Because an application can act as a target or a destination in a rule, you need to add the application definition in both directions. A rule with a source IP address looks only at the source IP address, so you need to create a rule that uses the destination IP for the reverse direction.
Application groups
For convenient traffic path rule and security policy creation, SCM predefines a number of application groups like Business or Web Services. When you use an application group in a traffic path rule, a single rule can handle many applications based on similar properties. For example, the Business Voice application group classifies all traffic that requires low latency and a high queue priority.
Application groups simplify the configuration and minimize the number of rules needed, providing better scalability.
Upgrade Consideration
The default application groups have changed in SCM 2.0 for compatibility with SteelHead CXs.
The new application groups are in effect after upgrading from SCM 1.x to 2.0. Any preexisting custom application groups remain the same after the upgrade.
Five preexisting application groups were merged into new groups. If you are using preexisting application groups in an inbound or outbound security policy or a traffic path rule that contain any of these groups, you might need to create new rules to use the new group name. The following table shows the application groups merged from 1.x to 2.x.
To view the complete list of application groups
Preexisting group | Merged into group |
Photography | Images/Photography |
Communication/IM/Email | Messaging/IM/Email |
Education/Reference | News/Education/Reference |
Games | Entertainment/Games |
Lifestyle/Health/Fitness | Lifestyle/Health/Fitness/Sport |
•Choose Applications > Groups.
Application groups page
A web category catalog is available to include sites that aren’t covered by a specific application. You can add web categories to application groups.
To view a complete list of web categories
1. Choose Applications > Groups.
2. Select an application group.
3. Select the Web categories tab for that group.
This table describes some default application groups, web categories, and sample applications, but it does not provide an exhaustive list. See the Applications Group page for the most up-to-date app groups, web categories, and apps associated with a group.
Group | Web categories | Content types | Sample applications and protocols |
Business | Business / Economy Government / Legal Military Political / Activist Groups Computers / Internet Search Engines / Portals Job Search / Careers Real Estate Restaurants / Dining / Food Travel Vehicles Web Applications Web Hosting Translation Content Servers Greeting Cards Marketing Services Ecology / Nature Animals / Pets | Includes a wide range of applications focused on business use. | Captures apps such as Google Calendar, Google Maps / Google Earth, Salesforce, Wunderlist, DATEV. |
Images/Photography | Open Image / Media Search Photo Searches | Includes photo and image searches, online photo albums, digital photo exchange, and image hosting. | Captures applications such as Flickr, Picasa, 500px. |
Social Networking | Social Networking Personal Pages / Blogs | Includes websites that enable people to connect with others to form an online community. Instant messaging, file sharing and blogs are common features of social networking sites. | Captures applications such as Facebook, Twitter, Instagram, LinkedIn, Tinder, MySpace. |
Video/Media/TV | Media Sharing TV / Video Streams | Includes websites that allow sharing of media and have a low risk of including objectionable content such as adult or pornographic material. Also includes websites that provide streams or downloads of television, movie, webcam, or other video content that exceeds 15 minutes. | Captures content such as Twitch, Hulu, Netflix, YouTube, Vimeo, Sky / SkyGo, Amazon Instant Video / Lovefilm, Online TV Recorder (OTR), Maxdone, Plex Media, MyVideo, SAVE.TV, and Zattoo TV. |
Application catalog
SCM provides a constantly updated catalog of public applications that are available on the internet. For example, Facebook or Salesforce. Every catalog application is assigned to a default predefined application group.
The catalog provides an efficient and accurate way to identify applications for advanced classification of network traffic.
To determine the default predefined group for a specific application
1. Choose Applications > Applications Catalog.
2. Start typing the application name in the search field to narrow the list.
Custom applications
Creating a custom application means that you group together a set of criteria to match certain traffic. You define custom applications to set up access policies for internal services, or specific internet-based services. Internal applications are typically related to a registered server device or device group; however, you can also define applications based on zones, IP addresses, ports, or host/domain names.
To define custom applications
1. Choose Applications > Custom.
2. Click New Application.
3. Complete the name and description.
4. Select the application type from the drop-down list: Device, Device Group, Zones, IP/Ports, or Hostnames (Internet Only). The traffic characteristics change according to the type of application.
Target devices must be preregistered, either manually or through the self-registration portal. For details, see
To register a device.
5. Complete the application characteristics as needed for the app type.
Custom apps appear in the Custom Apps column of the Application Group page.
To create a remote desktop application for a Windows 2012 AD server in a data center
1. Select Application > Custom.
2. Click New Application.
3. Name the application RDP_AD.
4. Describe the application as RDP to Active Directory in DC.
5. Select Device as the application type.
6. Select the relevant server from the device list. For example, AD on W3K12 Server in DC.
7. Click On to limit the TCP/UDP ports.
8. Add port 3389.
9. Click Submit.
Custom application for an Active Directory server using port 3389
After defining the application, you can use it in a rule that defines the policy for internal users and devices. In this example, you define a rule to allow the laptop administrator access to the RDP Active Directory server in the data center. For details, see
Outbound and internal rules.