Configure Application Policy RulesNEW!

You must be in the process of configuring a new Application policy or modifying an existing policy to use this procedure.

Use this procedure to configure or modify Application Policy Rules.

  1. Choose from the following actions:
    • If you are in the process of configuring a new Application policy, proceed to the next step.
    • If you want to edit rules settings for an Application policy, go to Policies > Application. Select adjacent to the target Application policy. Modify the settings in accordance with the steps in this procedure.
  2. Select the Application Policy Rules tab.
    A list of configured Rules appear in tabular format, if any exist. The total number of configured rules is shown in parentheses.
  3. Choose from the following actions:
    • Select to create a new rule. Proceed to the next step.
    • From under the Actions column:
      • Select associated with a rule to modify it. Edit the parameters in accordance with the steps in this procedure.
      • Select associated with a rule to delete it.
  4. Configure the parameters as described in Application Policy Rules Parameters – All Actions. These parameters apply to all Action types: Allow, Mark, Deny, and Rate-Limit.
    Table 1. Application Policy Rules Parameters – All Actions
    Parameter Description
    Rule Precedence Set a priority value in the range 1–256 for the application policy rule. The lower the value, the higher the priority assigned to this rule‘s enforcement action and the category and application assigned. A precedence also helps resolve conflicting rules for applications and categories.
    Action

    Set the action to be executed on the specified application category and application. Options are:
    Schedule Policy

    Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the Application Policy Enforcement Time setting under the Basic tab). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words, the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (that is, ensure the Application Policy Enforcement Time has not been set, since by default enforcement is continuos).

    Use the Schedule Policy drop-down menu to select an existing schedule policy to strategically enforce application filter policy rules for specific intervals. This provides stricter, time- and schedule-based access or restriction to specific applications and their parent categories. If no Schedule policy exists or an existing policy does not meet requirements, use the CLI command schedule-policy to configure one.

    Otherwise, retain the default value <none> to use no schedule-based filtering.
    App-Category

    Specify the application category as the match criteria. Each packet‘s app-category is matched with the value specified here. In case of a match, the system forwards, drops, marks, or rate-limits the packet, depending on the Action specified. Options are:
    • All (default) — The system forwards all packets regardless of the application category.
    • business
    • conference
    • custom
    • database
    • ecommerce
    • filetransfer
    • gaming
    • generic
    • im
    • industrial
    • mail
    • mobile
    • network management
    • other
    • p2p
    • remote_control
    • sharehosting
    • social networking
    • streaming
    • tunnel
    • voip
    • web
    Application

    Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system forwards, drops, marks, or rate-limits the packet, depending on the Action specified.

    Note: The WiNG system provides approximately 309 canned applications. In addition to these, the database also includes custom-made applications. These are application definitions you can create using the CLI application command.

    If you set the Action parameter to Mark, configure related parameters as described in Application Policy Rules Parameters – Mark Action.

    Table 2. Application Policy Rules Parameters – Mark Action
    Parameter Description
    Mark Type

    Select the Mark type. Packets that meet the criteria specified in the Schedule Policy, App-Category, and Application fields are marked according to the setting in this field. Options are:

    • 8021p (default) — Marks packets matching the specified criteria with the 802.1p priority value specified in the Mark Value field. The IEEE 802.1p signaling standard enables marking of Layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packet‘s MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first.
    • dscp — Marks packets matching the specified criteria with DSCP ToS code specified in the Mark Value field. The DSCP protocol marks Layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each Layer 3 packet with a six-bit DSCP code, which is appended to the packet‘s IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization.
    Mark Value

    Enter a value representing packet prioritization defined by the Mark Type specified, as follows:

    • If 8021p is specified as Mark Type, enter a value in the range 0–7.
    • If dscp is specified as Mark Type, enter a value in the range 0–63.

    If you set the Action parameter to Rate-Limit, configure related parameters as described in Application Policy Rules Parameters – Rate-Limit Action.

    Table 3. Application Policy Rules Parameters – Rate-Limit Action
    Parameter Description
    Enable Outbound Rating Select this option to enable rate limit action for outbound traffic.
    Outbound Max Burst Size Set the maximum burst size value in the range 2–1024 (Kbytes) for outgoing packets.
    Outbound Traffic Rate Set the rate limit value in the range 50–1000000 (Kbps) for outgoing packets.
    Enable Inbound Rating Select this option to enable rate limit action for inbound traffic.
    Inbound Max Burst Size Set the maximum burst size value in the range 2–1024 (Kbytes) for incoming packets.
    Inbound Traffic Rate Set the rate limit value in the range 50–1000000 (Kbps) for incoming packets.
  5. Select Add to create the rule.
  6. After you have completed configuring the settings, choose from the following actions:
    1. Select Revert to restore default settings or restore the last saved settings.
      Note

      Note

      You cannot restore default settings after applying or saving changes.
    2. Select Apply to commit the configured settings.
      Note

      Note

      This does not permanently save the settings you configured. If you perform a Reload (warm reboot), applied settings will be lost.
    3. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Apply or Save, the settings that you configured are not saved when you move away from the configuration window.

9037761-05 Rev AA