Application Patrol
See the Application Patrol section for related information on these screens.
Application Patrol Overview
Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application's individual features (like text messaging, voice, video conferencing, and file transfers). Application patrol also has powerful bandwidth management including traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.
Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL.
If you want to use a service, make sure both the firewall and application patrol allow the service's packets to go through the ZyWALL.
Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection. Then, you can specify, by application, whether or not the ZyWALL continues to route the connection.
Classification of Applications
There are two ways the ZyWALL can identify the application. The first approach is called auto. In this approach, the ZyWALL looks at the IP payload (OSI level-7) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the ZyWALL examines several packets to make sure the match is correct.
Note: The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application.
The second approach is called service ports. In this approach, the ZyWALL only uses OSI level-3 information, such as IP address and port, to identify what application is using the connection. This approach is available in case the ZyWALL identifies a lot of "false positives" for a particular application.
Configurable Application Policies
The ZyWALL has policies for individual applications. For each policy, you can specify the default action the ZyWALL takes once it identifies one of the service's connections.
You can also specify custom policies that have the ZyWALL forward, drop, or reject a service's connections based on criteria that you specify (like the source zone, destination zone, original destination port of the connection, schedule, user, source, and destination information). Your custom policies take priority over the policy's default settings.
Bandwidth Management
When you allow an application, you can restrict the bandwidth it uses or even the bandwidth that particular features in the application (like voice, video, or file sharing) use. This restriction may be ineffective in certain cases, however, such as using MSN to send files via P2P.
The application patrol bandwidth management is more flexible and powerful than the bandwidth management in policy routes. Application patrol controls TCP and UDP traffic. Use policy routes to manage other types of traffic (like ICMP).
Note: Bandwidth management in policy routes has priority over application patrol bandwidth management. It is recommended to use application patrol bandwidth management for TCP and UDP traffic and remove it from the policy routes.
Connection and Packet Directions
Application patrol looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going.
A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel.
For example, a LAN to WAN connection is initiated from the LAN and goes to the WAN.
- Outbound traffic goes from a LAN zone device to a WAN zone device. Bandwidth management is applied before sending the packets out a WAN zone interface on the ZyWALL.
- Inbound traffic comes back from the WAN zone device to the LAN zone device. Bandwidth management is applied before sending the traffic out a LAN zone interface.
Outbound and Inbound Bandwidth Limits
You can limit an application's outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface's bandwidth. This way you can make sure there is bandwidth for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each member of the out-going zone can send up to the limit.
Take a LAN to WAN policy for example.
- Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN so outbound means the traffic traveling from the LAN to the WAN. Each of the WAN zone's two interfaces can send the limit of 200 kbps of traffic.
- Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN.
Bandwidth Management Priority
The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate.
Then lower-priority traffic gets bandwidth.
The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.
The ZyWALL automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority).
Maximize Bandwidth Usage
Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to "borrow" any unused bandwidth on the out-going interface.
After each application gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.
Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the unused bandwidth.
Bandwidth Management Behavior
This section shows how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A's traffic and policy B for server B's traffic.
Configured Rate Effect
In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Configured Rate Effect
Policy Configured RAte Max. b. u. priority Actual rate A 300 kbps No 1 300 kbps B 200 kbps No 1 200 kbps
Priority Effect
Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it's configured rate (800 kbps), leaving only 200 kbps that server B can use.
Priority Effect
Policy Configured RAte Max. b. u. priority Actual rate A 800 kbps Yes 1 800 kbps B 1000 kbps Yes 2 200 kbps
Maximize Bandwidth Usage Effect
With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets.
So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps.
Maximize Bandwidth Usage Effect
Policy Configured RAte Max. b. u. priority Actual rate A 300 kbps Yes 1 550 kbps B 200 kbps Yes 2 450 kbps
Priority and Over Allotment of Bandwidth Effect
Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the ZyWALL still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Priority and Over Allotment of Bandwidth Effect
Policy Configured RAte Max. b. u. priority Actual rate A 1000 kbps Yes 1 999 kbps B 1000 kbps Yes 2 1 kbps
Other Applications
Sometimes, the ZyWALL cannot identify the application. For example, the application might be a new application, or the packets might arrive out of sequence. (The ZyWALL does not reorder packets when identifying the application.) In these cases, you can still provide a default rule for the ZyWALL to follow. You can use source zone, destination zone, destination port, schedule, user, source, and destination information as criteria to create a sequence of specific conditions, similar to the sequence of rules used by firewalls, to specify what the ZyWALL should do more precisely. You can also control the bandwidth used by these other applications.
Application Patrol Screens
Use the General summary screen to enable and disable application patrol.
Use the Common, Instant Messenger, Peer to Peer, VoIP, and Streaming screens to look at the applications the ZyWALL can recognize, and review the settings for each one. You can also enable and disable the rules for each application and specify the default and custom policies for each application.
The Other screen controls what the ZyWALL does when it does not recognize the application, and it identifies the conditions that refine this. It also lets you open the Other Configuration Add/Edit screen to create new conditions or edit existing ones.
Use the Statistics screen to see a bandwidth usage graph and statistics for each protocol.
Application Patrol General
Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using.
Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it.
See Registration for how to register.
Application Patrol Applications
Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications.
Use the Common screen to manage traffic of the most commonly used web, file transfer and e-mail protocols.
Application Patrol Edit
Use this screen to edit the settings for an application.
Application Patrol Policy Edit
The Application Policy Edit screen allows you to edit a group of settings for an application.
Application Policy Edit
Label Description Enable Policy Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Schedules for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the policy. Select Create Object to configure a new user account (see User Add/Edit for details). Select any to apply the policy for every user. From Select the source zone of the traffic to which this policy applies. To Select the destination zone of the traffic to which this policy applies. Source Select a source address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination. Access This field controls what the ZyWALL does with packets for this application that match this policy. Choices are:forward - the ZyWALL routes the packets for this application.Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision.Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision. Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward.Login - Select this option to block users from logging in to a server for this application.Message - Select this option to block users from sending or receiving instant messages.Audio - Select this option to block users from sending or receiving audio traffic.Video - Select this option to block users from sending or receiving video traffic.File Transfer - Select this option to block users from sending or receiving files. Bandwidth Management Configure these fields to set the amount of bandwidth the application can use. These fields only apply when Access is set to forward.You must also enable bandwidth management in the main application patrol screen (AppPatrol > General) in order to apply bandwidth shaping. Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the application to use. Inbound refers to the traffic the ZyWALL sends to a connection's initiator.If you enter 0 here, this policy does not apply bandwidth management for the application's traffic that the ZyWALL sends to the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. Outbound kbps Type how much outbound bandwidth, in kilobits per second, this policy allows the application to use. Outbound refers to the traffic the ZyWALL sends out from a connection's initiator.If you enter 0 here, this policy does not apply bandwidth management for the application's traffic that the ZyWALL sends out from the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. Priority Enter a number between 1 and 7 to set the priority for this application's traffic that matches this policy. The smaller the number, the higher the priority.The ZyWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority.The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth between applications with the same priority.The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration. Maximize Bandwidth Usage Enable maximize bandwidth usage to let the traffic matching this policy "borrow" any unused bandwidth on the out-going interface.After each application gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled. Log Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when the application's traffic matches this policy.
Other Protocol Screen
The Other Protocol screen controls the default policy for TCP and UDP traffic that the ZyWALL cannot identify. In other words, you can control what the ZyWALL does when it does not recognize the application. This screen also allows you to add, edit, and remove conditions to this default policy.
Other Configuration Add/Edit
The Other Configuration Add/Edit screen allows you to create a new condition or edit an existing one.
AppPatrol > Other > Edit
Label Description Enable Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Schedules for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the policy. Select Create Object to configure a new user account (see User Add/Edit for details). Select any to apply the policy for every user. From Select the source zone of the traffic to which this policy applies. To Select the destination zone of the traffic to which this policy applies. Source Select a source address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this policy applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination. Protocol Select the protocol for which this condition applies. Choices are: TCP and UDP. Select any to apply the policy to both TCP and UDP traffic. Access This field controls what the ZyWALL does with packets that match this policy. Choices are:forward - the ZyWALL routes the packets.Drop - the ZyWALL does not route the packets and does not notify the client of its decision.Reject - the ZyWALL does not route the packets and notifies the client of its decision. Bandwidth Management Configure these fields to set the amount of bandwidth the application can use. These fields only apply when Access is set to forward. Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection's initiator.If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends to the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. Outbound kbps Type how much outbound bandwidth, in kilobits per second, this policy allows the traffic to use. Outbound refers to the traffic the ZyWALL sends out from a connection's initiator.If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends out from the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. Priority Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority.Traffic with a higher priority is given bandwidth before traffic with a lower priority.The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority.The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration. Maximize Bandwidth Usage Enable maximize bandwidth usage to let the traffic matching this policy "borrow" any unused bandwidth on the out-going interface.After each application or type of traffic gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled. Log This field controls what kind of record the ZyWALL creates when traffic matches this policy.no - the ZyWALL does not record anythinglog - the ZyWALL creates a record in the loglog alert - the ZyWALL creates an alert
Application Patrol Statistics
This screen displays a bandwidth usage graph and statistics for selected protocols.
Application Patrol Statistics: General Setup
Use the top of the AppPatrol > Statistics screen to configure what to display.
Application Patrol Statistics: Bandwidth Statistics
The middle of the AppPatrol > Statistics screen displays a bandwidth usage line graph for the selected protocols.
- The y-axis represents the amount of bandwidth used.
- The x-axis shows the time period over which the bandwidth usage occurred.
- A solid line represents a protocol's incoming bandwidth usage. This is the protocol's traffic that the ZyWALL sends to the initiator of the connection.
- A dotted line represents a protocol's outgoing bandwidth usage. This is the protocol's traffic that the ZyWALL sends out from the initiator of the connection.
- Different colors represent different protocols.
Application Patrol Statistics: Protocol Statistics
The bottom of the AppPatrol > Statistics screen displays statistics for each of the selected protocols.