Create an Application Policy
When an application is recognized and classified by the WiNG application recognition
engine, administrator defined actions can be applied to that specific application.
An application policy defines the rules or actions executed on recognized
applications (for example, Facebook) or application-categories (for example,
socialnetworking). The following are the rules/actions that can be defined in an
application policy:
- Allow - Allow packets for a
specific application or application category
- Deny - Denies packets for a
specific application or application category
- Mark - Marks packets with
DSCP/8021p value for a specific application or application category
- Rate-limit - Rate limits
packets from specific application types
For each rule defined, a precedence is assigned to resolve conflicting rules for
applications and categories. A deny rule is exclusive, as no other action can be
combined with a deny. An allow rule is redundant with other actions, since the
default action is allow. An allow rule is useful when wanting to deny packets for a
category, but wanting to allow a few applications in the same category to proceed.
In such cases, add an allow rule for applications with a higher precedence then a
deny rule for that category.
Mark actions mark packets for a recognized application and category with DSCP/8021p
values used for QoS. Rate limits create a rate-limiter applied to packets recognized
for an application and category. Ingress and egress rates need to be specified for
the rate-limiter, but both are not required. Mark and rate-limit are the only two
actions that can be combined for an application and category. All other combinations
are invalid.
Note
Extreme Network's AP5xx
model APs, running WiNG 7.1.2 and later versions of the WiNG 7 OS, use Purview™
libDPI engine to implement
Application Visibility and Control (AVC)
within a managed network. libDPI detects top-level hosting applications along with
the services these applications host. Refer to the WiNG 7.2.1 CLI Reference guide
for information on Purview Application policy and group.
To define an application policy
configuration:
-
Select
.
The
screen lists the application policy configurations defined
thus far.
-
Refer to the following to determine whether a new application policy requires
creation, modification or deletion:
Name |
Lists the 32 character maximum name assigned to each
listed application policy, designated upon creation. |
Description |
Displays the 80 character maximum description assigned to
each listed application policy, as a means of further
distinguishing policies with similar configurations. |
-
Select Add to create a new application policy,
Edit to modify the attributes of a selected policy or
Delete to remove obsolete policies from the list of
those available. Existing policies can be copied or renamed as needed.
-
If creating a new application policy, assign it a Name
up to 32 characters.
-
Provide this application policy an 80 character maximum
Description to highlight its application and category
filters and differentiate it from other policies with similar
configurations.
-
Define the following Application Policy Logging options to
enable and filter logging for application specific packet flows:
Enable Logging |
Enables the log functionality, where each new flow is
shown with the corresponding matched application, the action
taken and the policy name. When enabled, logging just shows
what applications are getting recognized. |
Logging Level |
Select this option to log application events by severity.
Severity levels include Emergency, Alert, Critical, Errors,
Warning, Notification, Information and Debug. The default
logging level is Notification. |
-
Refer to the Application Policy Enforcement Time table
configure time periods for policy activation for each policy.
Select + Add Row to populate the table with an
enforcement time configuration to activate application policies based on the
current local time. The option to configure a time activation period is
applicable for a single application policy. Configure the days and time period
when the application policy is enforced. If no time enforcement configuration is
set, the policy is continually in effect without restriction.
-
Refer to the Application Policy Rules table assess
existing policy rules, their precedence (implementation priority), their actions
(allow, deny etc.), application category and schedule policy enforcement
restrictions.
-
Select + Add Row to launch a screen to create a new
policy rule.
-
Assign the following attributes to the new application rule policy:
Precedence |
Set the priority (from 1 - 256) for the application
policy rule. The lower the value, the higher the priority
assigned to this rule‘s enforcement action and the category
and application assigned. A precedence also helps resolve
conflicting rules for applications and categories. |
Action |
Set the action executed on the selected application
category and application. The default setting is
Allow. |
Application |
From the App-Category table, select the category for
which the application rule applies. Selecting All
auto-selects All within the Application table. Select All
from the Application table to list all application category
statistics, or specify a particular category name to display
its statistics only. |
-
Use the Schedule Policy drop-down menu to select an
existing schedule policy to strategically enforce application filter policy
rules for specific intervals. This provides stricter, time and schedule based,
access or restriction to specific applications and their parent categories. If
an existing policy does not meet requirements, either select the
Create icon to configure a new policy or the
Edit icon to modify an existing policy. For more
information on configuring schedule policies, see Schedule Policy
-
Select
OK to save the updates to the application
policy.
Select Reset
to revert to the last saved
configuration.