5.2 Application Control
Key Takeaways
- Application Control identifies applications by signature and behavioral analysis, not by port or protocol, enabling control of evasive applications.
- Applications are grouped into categories and risk levels in the Application Control database, which is updated through ThreatCloud.
- Application Control widgets in SmartConsole show application usage statistics by users, hosts, and time.
- Application Control is enforced by the TP rule base through a profile that defines per-application actions such as Accept, Drop, and Ask.
Why Application Control Exists
Traditional firewalls decide traffic by the 5-tuple: source IP, destination IP, source port, destination port, and protocol. Modern applications defeat that model. A user running BitTorrent can hop ports. A streaming media service can run on port 443. A cloud storage app can masquerade as HTTPS web browsing. The port tells you nothing about the application.
Application Control solves this by identifying the application itself, not the port. The blade uses a signature-based application database maintained by Check Point ThreatCloud, augmented by behavioral analysis. The gateway looks at the content of the connection, matches it against known application signatures, and classifies the traffic as a specific application (e.g., Facebook, YouTube, BitTorrent, SSH, RDP, Microsoft 365).
Once an application is identified, the gateway can apply policy: allow it, block it, shape it, or ask the user to confirm. The decision is made on what the application is, not what port it uses.
How Identification Works
Application Control uses multiple detection mechanisms:
- Signature matching — the primary method. Each application has a set of signatures that describe its protocol behavior, headers, and handshake. Signatures are distributed via ThreatCloud updates.
- Heuristics and behavioral analysis — catches applications that try to evade signatures by tunneling, encrypting, or randomizing traffic.
- Categorization — each application is tagged with a category (e.g., Social Networks, File Sharing, Gaming, Productivity) and a risk level (Low, Medium, High, Critical).
The application database covers thousands of applications and is updated regularly. CCSA does not require you to memorize a count; it requires you to know that updates come from ThreatCloud and that the database is signature-based.
Categories and Risk Levels
Applications in the database are organized into two parallel taxonomies:
- Categories — functional groupings such as Social Networks, Instant Messaging, File Sharing, Cloud Services, Streaming Media, Games, and Proxy/Anonymizer. Categories let you write rules like "block all file sharing" without naming every application.
- Risk levels — a four-tier rating (Low, Medium, High, Critical) that reflects how dangerous the application is to an enterprise. A critical-risk application typically has data exfiltration, malware-distribution, or compliance implications.
A typical Application Control policy blocks High and Critical risk applications, allows Low risk applications, and either allows or rate-limits Medium risk applications based on business need. CCSA scenarios frequently frame this as: a guest network blocks social networks; an internal network allows productivity apps but blocks anonymizers.
Widgets and Visibility
SmartConsole provides several Application Control widgets that surface usage data:
- Top applications by bandwidth — which applications consume the most throughput.
- Top applications by sessions — which applications are most frequently used.
- Top users — which users or hosts are running which applications.
- Application categories over time — trend charts showing growth or decline.
These widgets appear on the SmartConsole dashboard and in SmartEvent reports. They are read-only views driven by the logs the gateway generates. For the CCSA, you should recognize that Application Control provides visibility widgets and know where they appear (SmartConsole dashboard and SmartEvent), but you are not expected to configure a custom dashboard layout.
How Application Control Is Enforced
Application Control is one of the blades bundled into a TP profile. Inside a profile, the Application Control section lets you:
- Set a default action for each category or application (Accept, Drop, Reject, Ask, Inform).
- Override the default for specific applications.
- Apply rate limits per application.
- Enable or disable identification of certain applications entirely.
When a TP rule attaches that profile to a connection, the gateway runs Application Control on the connection and applies the configured actions. The action takes effect even if Access Control would have accepted the connection — TP overrides the access decision for content it considers policy-violating.
The Ask Action
One distinctive Application Control action is Ask. Ask presents an interactive prompt to the user (typically through a captive-portal-style browser redirect) asking them to confirm or acknowledge use of the application. The user can choose to proceed, and the gateway records the choice. Ask is commonly used for low-risk but non-business applications where the policy is "allowed, but documented" rather than "blocked."
For Ask to work, the user's identity must be known (Identity Awareness is typically required) and the user's browser must be able to display the prompt. CCSA scenarios usually treat Ask as a feature to recognize, not a feature to configure step by step.
Common CCSA Scenarios
CCSA questions on Application Control most often test:
- Recognition that identification is signature-based and port-independent.
- The difference between categories and risk levels.
- Which widget shows top applications (and where it appears).
- The set of actions available for an application (Accept, Drop, Reject, Ask, Inform).
- The fact that Application Control runs only on connections already accepted by Access Control.
A typical scenario: a company wants to allow YouTube for training videos but block BitTorrent. The correct design is an Access Control rule that accepts the relevant user traffic, with a TP profile that allows the YouTube category but drops the BitTorrent application (or the File Sharing category).
What Application Control Does Not Do
Application Control does not inspect file content for malware — that is Anti-Virus and Threat Emulation. It does not categorize web destinations by URL — that is URL Filtering. It does not detect C&C communication — that is Anti-Bot. Each TP blade has a specific job, and CCSA rewards knowing the boundaries between them.
How does Application Control identify applications on the network?
Where do the Application Control usage widgets appear in SmartConsole?
Which Application Control action prompts the end user to confirm use of an application and records their choice?