Endpoint Protection

Hi all

i'm not understand about this function?

How are there different between "Allow IP traffic" vs "Allow only application traffic"?

Who can tell me in simple description, Thank you.

Application Traffic from Help file

=======

When the application is the only trigger you define in a rule that allows traffic, the firewall allows the application to perform any network operation. The application is the significant value, not the network operations that the application performs. For example, suppose you allow Internet Explorer and you define no other triggers. Users can access the remote sites that use HTTP, HTTPS, FTP, Gopher, and any other protocol that the Web browser supports. You can define additional triggers to describe the particular network protocols and hosts with which communication is allowed.

Application-based rules may be difficult to troubleshoot because an application may use multiple protocols. For example, if the firewall processes a rule that allows Internet Explorer before a rule that blocks FTP, the user can still communicate with FTP. The user can enter an FTP-based URL in the browser, such as ftp://ftp.symantec.com.

You should not use application rules to control traffic at the network level. For example, a rule that blocks or limits the use of Internet Explorer would have no effect should the user use a different Web browser. The traffic that the other Web browser generates would be compared against all other rules except the Internet Explorer rule. Application-based rules are more effective when the rules are configured to block the applications that send and receive traffic.
=========

 

When you define host triggers, you specify the host on both sides of the described network connection.

Traditionally, the way to express the relationship between hosts is referred to as being either the source or destination of a network connection.

You can define the host relationship in either one of the following ways:

Source and destination
 The source host and destination host is dependent on the direction of traffic. In one case the local client computer might be the source, whereas in another case the remote computer might be the source.

The source and the destination relationship is more commonly used in network-based firewalls.
 
Local and remote
 The local host is always the local client computer, and the remote host is always a remote computer that is positioned elsewhere on the network. This expression of the host relationship is independent of the direction of traffic.

The local and the remote relationship is more commonly used in host-based firewalls, and is a simpler way to look at traffic.
 

You can define multiple source hosts and multiple destination hosts. The hosts that you define on either side of the connection are evaluated by using an OR statement. The relationship between the selected hosts is evaluated by using an AND statement.

For example, consider a rule that defines a single local host and multiple remote hosts. As the firewall examines the packets, the local host must match the relevant IP address. However, the opposing sides of the address may be matched to any remote host. For example, you can define a rule to allow HTTP communication between the local host and either symantec.com, yahoo.com, or google.com. The single rule is the same as three rules.

 

 

The "Unmatched IP Traffic Settings" means the action that should be taken if any traffic that does not match the firewall rules which is applied on the machine. Essentially this settings effects only to inbound traffic as all the outbound connections which gets initiated from the machine are always allowed(unless it is explicitly denied).

Allow IP Traffic - This means that if any traffic doesn't match the firewall rule(either allow or deny) and if this option is checked then that particular traffic will be allowed. Sometimes we configure the firewall rule in such a way that we add only rules that allows a particular traffic and we do not add a rule at the bottom to deny traffic which doesn't match the above rules. If "Allow IP Traffic" is not checked then it will act as the bottom rule(deny all traffic)to drop all the packets except for the traffic which is generated from some applications(prompts user to allow or block traffic from that particular application). By default this option is checked so that it does not block all traffics other than specified in default firewall rule immediately after installation.

 

Allow Only Application Traffic- This option is given so that it does not block any custom application which runs in the network(if "Allow IP Traffic" is not checked) such as VNC, Log Me On, accounting application which requires access from the workstations to database server, etc.

You will need to make sure that Network Application Monitoring is enabled, so that the clients  can send info about the applications detected on their machines. It gives you  a way to automate things, rather defining the application parameters manually.

Cheers,
Aniket