For instructions on configuring Application Denial Policies, see Creating an Application Denial Policy.
This option allows the administrator to deny application access by blocking any HTTP host name
(FQDN - Fully Qualified Domain Name) or L4 port. Using application denial policies,
administrators can block specific applications if they are seen to be consuming excessive network
resources, or enforce network usage policies such as blocking social media sites.
The following usage guidelines need to be taken into consideration when defining Application
- "www.corporate.com" – This will block access to the host web server at the organization
"corporate.com" i.e., the FQDN. It will not block access to any other hosts such as ftp, ntp,
smtp, etc. at the organization "corporate.com".
- "corporate.com" – This will block access to all hosts at the domain "corporate.com," i.e.,
it will block access to www.corporate.com, ftp.corporate.com, smtp.corporate.com, etc.
- "corporate" – This will block access to any FQDN containing the text "corporate" in any part
of the FQDN. Care should be taken to use as long as possible string for matching to prevent
inadvertently blocking sites that may contain a shorter string match i.e., if the rule is "net"
then this will block access to any sites that have the text "net" in any part of the FQDN or
".net" as the FQDN suffix.
- *.corporate.com – This is an invalid rule. Wildcard "*" and other regular expressions cannot
be used in any part of the FQDN.
- "www.corporate.com/games" - This is an invalid rule. The filter cannot parse and block
access on text after the FQDN, i.e., in this example it cannot filter the microsite
Note: Many global organizations have both a ".com" suffix and country specific suffix such
as ".co.uk", ".fr", ".au".etc. To block access to, for example, the host web server in all
regional specific web sites for an organization, a rule like "www.corporate" could be
Note: Many global organizations use distributed content delivery networks such as
Akamai. In such cases creating a rule such as "www.corporate.com" may not prevent access to the
entire site. Further investigation of the content network behavior may need to be undertaken to
fully prevent access.
Note: When using port-based rules, there is no distinction between
the TCP and UDP protocols, so care should be taken if wishing to block a specific application
port, as this will apply to both IP protocols and may inadvertently block another application
using the other protocol.