Access rules for network application detection

To detect network application use, you must create Access rules that define the matching criteria.

The Service cell defines the protocols that are compared to the protocol-related information in each packet’s header. You can use Network Application elements directly in the Service cell, or as part of the matching criteria in the Service Definition dialog box. Any other criteria in the service definition override the properties of the Network Application element.

Depending on the options that you select in the Service (Port) cell of the service definition, you can specify which ports traffic matches:

  • Automatic Port Selection — The ports that traffic matches are selected automatically depending on the action specified in the rule.

    For rules that allow traffic and for rules with the Continue action, traffic matches on the standard ports defined in the Network Application element. For rules that stop traffic, traffic matches any port where the application can be detected.

  • Any Port — Traffic matches any port where the application can be detected.
  • Standard Ports — Traffic matches only the standard ports defined in the Network Application element.

When you add new Access rules, Automatic Port Selection is selected by default.

Alternatively, you can use Application Type elements and Tag elements directly in the Service cell. Application Type elements represent general categories of network applications. Tag elements represent all Network Application elements that are associated with that Tag.

Some network applications can open several related connections. If an Access rule that detects network application use identifies a related connection, the related connection is matched against the Access rules again. If the rule that detected the network application use has deep inspection enabled and the related connection matches a rule that has deep inspection enabled, the related connection is matched against the Inspection Policy. No NAT payload modifications are done for the connection that matches the rule that detected the network application use. NAT payload modifications can be done for the related connections according to the policy.