Step 3: Create the Application Block Rules

Although the overall goal of your security policy is to safely enable applications using application allow list rules (also known as positive enforcement), the initial best practice rulebase must also include rules to help you find gaps in your policy and identify possible attacks. Because these rules are designed to catch things you didn’t know were running on your network, they allow traffic that could also pose security risks on your network. Therefore, before you can create the temporary rules, you must create rules that explicitly block applications designed to evade or bypass security or that are commonly exploited by attackers, such as public DNS and SMTP, encrypted tunnels, remote access, and non-sanctioned file-sharing applications.
Each of the tuning rules you will define in Step 4: Create the Temporary Tuning Rules are designed to identify a specific gap in your initial policy. Therefore some of these rules will need to go above the application block rules and some will need to go after.
  1. Block Quick UDP Internet Connections (QUIC) protocol.
    Why do I need this rule?
    Rule Highlights
    • Chrome and some other browsers establish sessions using QUIC instead of TLS, but QUIC uses proprietary encryption that the firewall can’t decrypt, so potentially dangerous encrypted traffic may enter the network.
    • Blocking QUIC forces the browser to fall back to TLS and enables the firewall to decrypt the traffic.
    • It requires two Security policy rules to ensure that QUIC is blocked.
    • Before you create the policy rules, you must first create a Service (
      ) that specifies UDP ports 80 and 443.
    • The first rule blocks QUIC on its UDP service ports (80 and 443) and uses the Service you created to specify those ports.
    • The second rule blocks the QUIC application.
    Notice that the Service specifies the UDP ports to block for QUIC in the first rule:
  2. Block applications that do not have a legitimate use case.
    Why do I need this rule?
    Rule Highlights
    • Block nefarious applications such as encrypted tunnels and peer-to-peer file sharing, as well as web-based file sharing applications that are not IT sanctioned.
    • Because the tuning rules that follow are designed to allow traffic with malicious intent or legitimate traffic that is not matching your policy rules as expected, these rules could also allow risky or malicious traffic into your network. This rule prevents that by blocking traffic that has no legitimate use case and that could be used by an attacker or a negligent user.
    • Use the
      Action to silently drop the traffic without sending a signal to the client or the server.
    • Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
    • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.
  3. Block public DNS and SMTP applications.
    Allow traffic only to sanctioned DNS servers. Use the DNS Security service to prevent connections to malicious DNS servers.
    Why do I need this rule?
    Rule Highlights
    • Block public DNS/SMTP applications to avoid DNS tunneling, command and control traffic, and remote administration.
    • Use the
      Reset both client and server
      Action to send a TCP reset message to both the client-side and server-side devices.
    • Enable logging for traffic matching this rule so that you can investigate a potential threat on your network.

Recommended For You