Application Policy

About this task

When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, socialnetworking). The following are the rules/actions that can be applied in an application policy:
  • Allow - Allow packets for a specific application or application category
  • Deny - Deny packets for a a specific application or application category
  • Mark - Mark packets with DSCP/8021p value for a specific application or application category
  • Rate-limit - Rate limit packets from specific application types

For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category.

Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Ratelimits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid.

To define an application policy configuration:

Procedure

  1. Select Configuration → Network → Application Policy.
    The screen lists the application policy configurations defined thus far.
    Click to expand in new window
    GUID-84433AD1-107D-4494-92EA-8BAE048F3318-low.png
  2. Refer to the following to determine whether a new application policy requires creation, modification or deletion:
    Name Lists the 32 character maximum name assigned to each listed application policy, designated upon creation.
    Description Displays the 80 character maximum description assigned to each listed application policy, as a means of further distinguishing policies with similar configurations.
  3. Select Add to create a new application policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or renamed as needed.
    Click to expand in new window
    GUID-F0C6049A-3DDE-4E78-9F9C-4BADA9191BD4-low.png
  4. If creating a new application policy, assign it a Name up to 32 characters.
  5. Provide this application policy an 80 character maximum Description to highlight its application and category filters and differentiate it from other policies with similar configurations.
  6. Define the following Application Policy Logging options to enable and filter logging for application specific packet flows:
    Enable Logging Enables the log functionality, where each new flow is shown with the corresponding matched application, the action taken and the policy name. When enabled, logging just shows what applications are getting recognized.
    Logging Level Select this option to log application events by severity. Severity levels include Emergency, Alert, Critical, Errors, Warning, Notification, Information and Debug. The default logging level is Notification.
  7. Refer to the Application Policy Enforcement Time table configure time periods for policy activation for each policy.
    Select + Add Row to populate the table with an enforcement time configuration to activate application policies based on the current local time. The option to configure a time activation period is applicable for a single application policy. Configure the days and time period when the application policy is enforced. If no time enforcement configuration is set, the policy is continually in effect without restriction.
  8. Refer to the Application Policy Rules table assess existing policy rules, their precedence (implementation priority), their actions (allow, deny etc.), application category and schedule policy enforcement restrictions.
  9. Select + Add Row to launch a screen to create a new policy rule.
    Click to expand in new window
    GUID-00FE4FFB-78B0-43C9-96E3-28D3E550BD15-low.png
  10. Assign the following attributes to the new application rule policy:
    Precedence Set the priority (from 1 - 256) for the application policy rule. The lower the value, the higher the priority assigned to this rule‘s enforcement action and the category and application assigned. A precedence also helps resolve conflicting rules for applications and categories.
    Action Set the action executed on the selected application category and application. The default setting is Allow.
    Application From the App-Category table, select the category for which the application rule applies. Selecting All auto-selects All within the Application table. Select All from the Application table to list all application category statistics, or specify a particular category name to display its statistics only.
  11. Use the Schedule Policy drop-down menu to select an existing schedule policy to strategically enforce application filter policy rules for specific intervals. This provides stricter, time and schedule based, access or restriction to specific applications and their parent categories. If an existing policy does not meet requirements, either select the Create icon to configure a new policy or the Edit icon to modify an existing policy. For more information on configuring schedule policies, see Schedule Policy
  12. Select OK to save the updates to the application policy. Select Reset to revert to the last saved configuration.
9036315-02 REV AA