Application Control

Application Control allows controlling network traffic at the application level using Deep Packet Inspection (DPI). The DPI technology analyzes packets and matches application signatures against the regularly updated Kaspersky database of applications. Application Control lets you deny or allow traffic belonging to specific applications.

To filter traffic by application, you need to add the relevant applications as qualifiers in the security rules. The following parameters are used to add an application: application protocol, application service, and client application. Kaspersky NGFW uses DPI to identify applications and applies the action specified in the security rule to traffic.

For more information about configuring filtering by application, see the instructions on how to create or edit a security rule.

Application identification is always running, regardless of whether filtering by application is enabled.

Kaspersky NGFW identifies application protocols, including VPN protocols, application services, and individual applications, even if they communicate through ports other than the ports registered with the IANA (for details, see Service Name and Transport Protocol Port Number Registry).

DPI detects applications in encrypted traffic; some applications are identified regardless of whether decryption of encrypted traffic is enabled or not. Applications that can only be detected when traffic decryption is enabled are displayed with the Decrypt status. If traffic decryption is disabled, application services in encrypted traffic are identified by the domain name in the SNI field. To identify application protocols and client applications in encrypted traffic, you must enable traffic decryption.

Kaspersky NGFW may not be able to identify some applications. The complete list of applications that can be identified is displayed in the drop-down list when you select the Applications qualifier. For unidentified applications, you can specify Unknown для параметров Application protocols, Client applications, or Application services. In this case, the solution performs the action that is specified in the security rule.

To identify applications, DPI technology needs to analyze several initial packets, which may lead to part of the traffic being allowed until the identification process can be completed. All allowed traffic is processed by security engines using the security profile group selected for unclassified sessions.

Page top