Skip to main content

Layer 7 Application Firewall Rule

Last updated: October 24, 2024

s
Written by shuochun su
Updated over 4 months ago

Using EnGenius' advanced Layer 7 traffic analysis technology, you can create firewall rules to block specific applications without specifying IP addresses or port ranges. This feature is particularly useful when applications frequently change their IP addresses or use multiple IPs.

Traditional firewalls often struggle with applications that frequently change IP addresses or use multiple IPs, making it hard to maintain effective firewall rules. EnGenius' Layer 7 firewall solves this by:

  • Blocking Specific Applications and Categories: Identify and block traffic based on application signatures

  • Adapting to Changes: Automatically adjust to changes in application behavior and infrastructure

  • Simplifying Management: Focus on applications and categories instead of constantly changing network parameters

Benefits

  • Enhanced Security: Block unwanted applications to protect your network

  • Simplified Rule Management: No need to update rules for changing IP addresses or port ranges

  • Policy Enforcement: Ensure compliance by restricting access to non-compliant applications

  • Advanced Source IP Filtering: Block applications based on source IP, allowing you to apply rules to specific departments or LAN segments. For example, you can block video and music for the staff LAN while allowing them for others.

Configuration Steps

  1. Go to Configure > Gateway > Firewall > Outbound Rules > Layer 7 to add rule

  2. Input the Source IP if you need to block a specific source IP address

  3. Select an Applications to be blocked, using the second drop-down to be more specific if necessary.

When configuration is complete, please check Apply

Note:

  • Layer 3 rules (Refer to L3 Firewall for details) are processed before Layer 7 rules, with priority given to the first match found.

  • Firewall rules of any type apply solely to traffic that passes through the firewall device. This means that rules do not affect traffic originating from the firewall (such as LDAP binds) or terminating at the firewall (such as client VPN connections). Furthermore, ESG VLAN interfaces and the ESG WAN IP addresses are not taken into account in Allow or Deny rules.

Blocking specific applications not listed under Layer 7 firewall rules

To block specific applications not listed under Layer 7 firewall rules, ESG gateway can be used to prevent clients from accessing these applications. While the dashboard provides a list of popular applications in predefined categories, network administrators may occasionally need to block a particular application that isn't listed.

Take the example of League of Legends, which is not currently included in the "Online Gaming" category but can still be blocked by following these steps:

  1. Identify the public IP addresses and URLs used by the application's servers.

    League of Legends uses the following subnets and URLs:

    • IP Addresses

      192.64.168.0/24

      192.64.169.0/24

      192.64.170.0/24

      216.133.234.0/24

      31.186.224.0/24

      31.186.226.0/24

      64.7.194.0/24

      66.150.148.0/24

      95.172.70.0/24

      95.172.65.0/24

    • URLs

      pvp.net

      leagueoflegends.com

  2. Create a Layer 3 rule to block outbound connections to these IP addresses and URLs

By implementing these steps, administrators can block access to unlisted applications efficiently.

Processing flow diagram between L3 firewall and L7 firewall

When the device is received traffic, it will check L3 firewall rule first, and then to check L7 firewall rule

Reference example L3 and L7 firewall rule

L3 Firewall rule configuration

L7 Firewall rule configuration

Allowed traffic by default

Outbound traffic is allowed through the firewall by default, unless it is explicitly blocked by an L3 or L7 rule. In this example, FTP traffic on TCP port 21 will pass through the firewall because no L3 or L7 rules are configured to block it

  • L3 Rules

    • Rule1: No match

    • Rule2: No match

    • Rule3: No match

  • L7 Rules

    • No match

Blocked traffic by L3 rule

In this example, FTP traffic on TCP port 21 will be blocked by the L3 firewall due to rule 3, which explicitly blocks it. Layer 7 rules will be ignored, as the traffic is already blocked by the L3 rules.

  • L3 Rules

    • Rule1: No match

    • Rule2: No match

    • Rule3: Match, traffic blocked

  • L7 Rules

    • Not processed

Blocked traffic by L7 rule

In this example, HTTP traffic on TCP port 80 is allowed by L3 firewall rule 1 and then passed to L7 rule checking. The L7 rule blocks Facebook application traffic, so this traffic will be blocked.

  • L3 Rules

    • Rule1: Match, HTTP (TCP port 80) traffic allowed

    • Rule2: Not processed

    • Rule3: Not processed

  • L7 Rules

    • Match, Facebook application traffic blocked

List of Layer 7 Categories

Each category also has an "all" rule (e.g. All Advertising) that will apply every individual rule under it when configured.

Important Notice: If an application does not fall under the categories, rules, or classification names listed in the table below, it will not be supported.

Categories

Rule/Classification Name

Advertising

  • Adcash

  • AppNexus

  • DoubleVerify

  • Integral Ad Science

  • OpenX

  • Pubmatic

Business management

  • Concur

  • NetSuite

  • Salesforce

  • SugarCRM

  • Workday

  • Zoho

  • DMM.com

  • Asana

  • ServiceNow

  • Shopify

  • Grammarly

  • Rackspace

Email

  • Aweber

  • GMX Mail

  • Yahoo Mail

  • Netease Mail

Online Gaming

  • Battle.net

  • GameSpot

  • GREE Games

  • IGN

  • Steam

  • Xbox

  • EA Games

  • Minecraft

  • DoubleDown Casino

  • Kongregate

  • Slotomania

  • GameStop

  • Nintendo

  • Rockstar Games

  • PlayerUnknown Battlegrounds (PUBG)

  • Playstation

Health care

Cerner Corporation

Vocie Calls

  • Slack

  • KakaoTalk

  • LINE

  • QQ

  • Skype

  • Viber

  • WeChat

  • TextMe

  • Azar

  • Voxer Walkie

  • Zalo

  • TextNow

  • Discord

  • SnapchatCal

News

  • BBC

  • Business Insider

  • BuzzFeed

  • CBS

  • CNBC

  • CNET

  • CNN

  • Daily Mail

  • Drudge Report

  • E! Online

  • Feedly

  • Fox News

  • Gizmodo

  • MSN

  • NBC News

  • NYTimes

  • NY Daily News

  • Patch

  • Reuters

  • SFGate

  • Sky News

  • TechCrunch

  • The Atlantic

  • The Blaze

  • The Daily Beast

  • The Hollywood Reporter

  • The Huffington Post

  • The Telegraph

  • The Washington Post

  • TMZ

  • UOL

  • USA Today

  • AOL

  • Bild

  • Bloomberg

  • Detik

  • The Guardian

  • Flipboard

  • Eventbrite

  • Entertainment Weeklys

  • TIME.com

  • Lifehacker

  • Diply.com

Online sharing and backup

  • Carbonite

  • Crashplan

  • Apple iCloud

  • ADrive

  • Box.com

  • Scribd

  • Zip Cloud

  • Notion

  • Trello

  • Imgur

Productivity

  • Bitbucket

  • Coursera

  • Udemy

  • GitHub

  • Mikogo

  • Office 365

  • Pearson

  • Pocket

  • Prezi

  • Google Play Books

  • Hotspot Shield VPN

  • Mozilla

  • Microsoft

  • Weebly

  • Dell.com

  • Intuit

Portals and Search Engines

  • Baidu.com

  • Bing

  • Daum

  • Rediff.com

  • Mail.Ru

  • Naver

  • Sohu.com

  • Yandex

  • Yahoo.com

  • Sanook.com

  • Web.de

  • Ask.com

  • GIPHY

  • DuckDuckGo

Reference and Research

  • Wikipedia

  • Ancestry

  • WikiHow

  • Reddit

  • Dictionary.com

Remote monitoring & management

  • Gotomypc

  • ShowMyPC

  • LogMeIn

  • AnyDesk

Security

  • Avast AntiVirus Update

  • McAfee Security Scan Plus

Social web & photo sharing

  • GoDaddy

  • HootSuite

  • ICQ

  • Mixi

  • Forbes

  • MySpace

  • Photobucket

  • Shutterstock

  • SmugMug

  • Tagged

  • theCHIVE

  • Yelp

  • IMDB

  • Fandom (Wikia)

  • Kotaku.com

  • Ticketmaster

  • Pixiv

Social Networking

  • Facebook

  • FC2

  • Flickr

  • Goodreads

  • Instagram

  • LinkedIn

  • Pinterest

  • Quora

  • Renren

  • Tumblr

  • X (Twitter)

  • VKontakte

  • Wordpress

  • XING

  • ASKfm

  • Zhihu

  • Ameba

  • Answers

  • TikTok

Software & anti-virus updates

  • Oracle Java update

  • Windows Update

Shopping and Auction

  • eBay

  • Rakuten

  • Tokopedia Online Shopping Mall

  • ASOS

  • Leboncoin

  • OLX

  • Walmart

  • Etsy

  • Target

  • Newegg

  • AutoTrader

  • Groupon

  • Zulily

  • AliExpress Shopping App

  • Allegro

  • Walgreens

  • Craigslist

  • Barnes and Noble

  • Office Depot

  • Zappos

  • IKEA.com

  • Woot

  • Snapdeal

  • Amazon Shopping

  • Sahibinden.com

Sports

  • CBS Sports

  • ESPN

  • GOLF.com

  • NBA

  • UEFA

  • NFL

Travel & Transportation

  • United Parcel Service (UPS)

  • Federal Express (FedEx)

  • United States Postal Service (USPS)

  • Apple Maps

  • TripAdvisor

  • Waze

  • Airbnb

  • Uber

  • Booking.com

  • Lyft

  • United Airlines

  • American Airlines

  • Hotels.com

  • Southwest Airlines

Streaming

  • Apple Music

  • BrightTalk

  • Dailymotion

  • Starbucks

  • Tabelog

  • LastFM

  • MTV

  • Napster Radio (Rhapsody)

  • Netflix

  • Pandora

  • PPTV

  • Soribada

  • SoundCloud

  • Spotify

  • TED

  • Twitch

  • Vimeo

  • Xfinity

  • Xunlei Kankan

  • YouTube

  • Zattoo

  • QQ Music

  • Spinrilla

  • AZLyrics

  • Tencent

  • Disney+

  • Vevo

  • Tidal

  • Deezer

  • AppleTVPlus

  • Showtime

  • AppleiTunes

Video Conference

  • GoTo

  • RingCentral

  • Crunchyroll

  • Funshion

  • Ifeng Video

  • SHOUTCast

  • Vocera

  • WebEx

  • Zoom

  • iHeartRadio

  • Plex

  • Roku

  • Douban

  • Teams

Finance and Insurance

  • PayPal

  • Stripe

  • Fidelity Investments

  • ETRADE

Important Notice: If an application does not fall under the categories, rules, or classification names listed in the table above, it will not be supported.

Related Articles
Dual-WAN fail-over or Load Balance
L3 Firewall
NAT & Port Forwarding
Layer 7 Application Policy-base Route (PBR)
L2 Isolation
Did this answer your question?