Skip to content
Avanet

Setting Up and Testing Sophos Firewall Application Control

Sophos Firewall

Application Control on Sophos Firewall identifies applications independently of mere ports. This allows you to specifically allow, block, or log remote control tools, tunneling applications, streaming, cloud storage, messengers, or risky browser circumventions.

The practical benefit only arises when Application Control is active in the correct firewall rule, the application is truly recognized, and logs are evaluated. A saved Application Filter Policy alone does not block anything.

Quick Answer

Application Control is used in two steps:

  1. Under Protect > Applications > Application filter, plan or create an Application Filter Policy.
  2. In the appropriate firewall rule, select Identify and control applications (App control) under Other security features.

Afterwards, you must check with a real test client whether the traffic runs through this rule and whether the application is correctly recognized in the Log Viewer. For encrypted traffic, TLS Inspection can be crucial, as the firewall may see fewer details depending on the application.

When Application Control is Useful

Application Control is particularly useful when ports alone do not provide enough information. Many applications use HTTPS, changing targets, or cloud infrastructure. A pure port rule then only sees 443, but not whether it is an allowed business service, a remote control tool, or an unwanted cloud storage behind it.

Typical use cases:

  • Blocking TeamViewer, AnyDesk, Tor, or proxy tools
  • Restricting streaming or social media in certain networks
  • Controlling cloud storage
  • Limiting messengers or games in guest or school networks
  • Activating application recognition for reporting and analysis
  • Preparing traffic shaping for recognized applications

If it is not about recognition or blocking, but about prioritization or bandwidth limitation, additionally configure Application Traffic Shaping on Sophos Firewall.

Prerequisites

Before configuration, these points should be checked:

  • appropriate license with Web Protection or Application Control
  • affected firewall rule is known
  • Log firewall traffic is active for the test rule
  • desired application or category is clearly defined
  • test client and test target are defined
  • for HTTPS applications, it is clear whether TLS Inspection should be used

Check the license status under System > Administration > Licensing. In typical Sophos Firewall bundles with Web Protection, Application Control is included. However, the specific license logic should still be checked before productive introduction, especially with expired subscriptions or trial licenses.

Planning Application Filters

A good Application Filter is not just a long blocklist. First, it should be clear what is to be achieved.

GoalTypical Approach
Block risky remote control toolsBlock specific applications or category
Restrict guest Wi-FiBlock unwanted categories, leave allowed basic services open
Only log applicationInitially use Allow with logging and reports
Avoid false positivesNarrower application selection instead of broad category
Prioritize business-critical applicationCombine Application Control with Traffic Shaping

For productive networks, an observation mode is often useful: First activate Application Control, check logs and reports, then block specifically. This way, you can see which applications actually occur and whether a block would disrupt legitimate processes.

Planning Rollout in Phases

Application Control should not be activated in one big step for all networks. A better approach is a small rollout with a clear test group, visible logging, and a defined decision on when observation becomes blocking.

A practical procedure:

PhaseGoalTypical Setting
InventoryFind out which applications actually occurApplication Filter with logging, without broad blocking yet
PilotCheck selected users or a test networkBlock individual risky applications, closely monitor Rule ID and logs
ProductionApply confirmed policy to target networkActivate filter in productive rule, document exceptions
OperationMonitor effects and side effectsRegularly check reports, Log Viewer, Central Reporting, or Syslog

Before going live, it should be clear which applications must remain allowed. These often include update services, remote support, collaboration tools, cloud storage, telephony, or industry-specific applications. If these dependencies only become visible after the block, Application Control quickly appears as a disruptive factor rather than a protective function.

For acceptance, a short decision list is worthwhile: Which application is blocked, which user group is affected, which exception is allowed, who is the technical owner, and when will the policy be reviewed? This documentation is more important than a perfect first filter.

Creating Application Filters

Menu path:

Protect > Applications > Application filter

Procedure:

  1. Open Add.
  2. Assign a descriptive name, for example, Block_Remote_Control_Tools.
  3. Add a rule within the filter.
  4. Select application, category, risk, or smart filter.
  5. Set action, for example, Deny, Allow, or appropriate control depending on the version.
  6. Save the filter.

Be cautious with categories. A broad category can affect more applications than expected. For initial tests, individual applications or clearly defined groups are often better than a large collective block.

Activating in Firewall Rule

Application Control only takes effect when the filter is selected in a firewall rule.

Menu path:

Protect > Rules and policies > Firewall rules

Procedure:

  1. Open the firewall rule through which the affected traffic actually runs.
  2. Open the Other security features section.
  3. Select the Application Filter under Identify and control applications (App control).
  4. Activate Log firewall traffic, at least for testing and acceptance.
  5. Save the rule.
  6. Test with a defined client.

The order of rules is crucial. If the traffic is already processed by a more general rule above, it does not reach the rule with Application Control. Then the configuration in WebAdmin looks correct but has no effect.

The basics of Source, Destination, Services, Security Features, and rule order are covered in Understanding and Securely Configuring Sophos Firewall Rules.

TLS Inspection and Recognition

Application Control can recognize certain applications even without full TLS Inspection. However, for many modern HTTPS and cloud services, the firewall sees only limited information without decryption, such as IP address, SNI, certificate data, hostname, or connection metadata.

This is not always sufficient for reliable recognition. If an application is not recognized as expected over HTTPS, you should check:

  • Is the traffic running through the correct firewall rule?
  • Is Application Control active in this rule?
  • Is the application generally recognized by Sophos?
  • Is TLS Inspection necessary and justifiable for this traffic?
  • Is there QUIC or HTTP/3 that complicates control?
  • Do Web Policy, IPS, or DNS Protection also apply?

TLS Inspection should be introduced gradually and with exceptions. The appropriate procedure is detailed in Properly Introducing Sophos Firewall TLS Inspection. For QUIC and HTTP/3, see Properly Blocking QUIC and HTTP/3 on Sophos Firewall.

Testing Effectiveness

After activation, do not just wait for user feedback. A clean test saves a lot of time.

Practical procedure:

  1. Define test client and source IP.
  2. Intentionally start the application or call the target.
  3. Filter in the Log viewer by source IP, destination, service, and application.
  4. Check which Firewall Rule ID was hit.
  5. Check if Application Control recognizes the application.
  6. In case of a block, check if the block is technically desired.
  7. For unclear recognition, supplement with Packet Capture and Service Logs.

Application Control often uses ips.log in the technical path. Log assignment is covered in Sophos Firewall Troubleshooting: Services and Logs. For differentiation with Log Viewer and Packet Capture, see Testing Sophos Firewall Rules with Log Viewer, Policy Test, and Packet Capture.

Properly Handling False Positives

If Application Control blocks legitimate traffic, do not immediately deactivate the entire filter.

Sensible sequence:

  1. Document the affected application and log entry.
  2. Check which firewall rule and which Application Filter are involved.
  3. Check application, category, and action in the filter.
  4. Check if the application is recognized differently by TLS Inspection.
  5. Set exception as narrowly as possible: application, source network, user group, or target.
  6. Document owner and review date for the exception.

An exception for Any or a broad category often quickly resolves the current case but weakens control permanently. A small, understandable exception with a clear justification is better.

Common Mistakes

MistakeEffectBetter Approach
Application Filter created but not selected in ruleNo effect on trafficActivate filter in the actual firewall rule
Traffic runs through another ruleFilter is never reachedCheck Rule ID in Log Viewer
Too broad category blockedLegitimate cloud or business services affectedUse individual applications or narrower groups
Overestimated HTTPS recognitionApplication not reliably recognizedCheck TLS Inspection and QUIC behavior
Logging missingEffect remains invisibleActivate rule logging for testing and operation
Exception too broadProtective function is practically nullifiedSet exception narrowly and with review date

Operational Check

Application Control should be regularly checked. Applications change, cloud services use new endpoints, users use new tools, and signatures are updated.

Documentation should include:

  • Purpose of the Application Filter
  • Affected firewall rules
  • Blocked or allowed applications
  • Known exceptions
  • Technical owner
  • Review date
  • Last relevant change

If Application Control is used for critical business applications, school networks, or compliance requirements, Central Reporting, Syslog, or SIEM should also be checked. For central evaluation, see Activating Central Firewall Reporting or Setting Up Sophos Firewall Syslog and SIEM.

Checklist

  • License status checked.
  • Affected firewall rule clearly identified.
  • Application Filter created with a clear purpose.
  • Filter selected in the correct firewall rule.
  • Rule logging active.
  • Test client and test application defined.
  • Log Viewer checked for Rule ID and Application Control.
  • TLS Inspection and QUIC evaluated if HTTPS recognition is unclear.
  • Exceptions narrowly documented.
  • Review date set.

Frequently Asked Questions

Where do you activate Application Control on Sophos Firewall?

Create or select an Application Filter under Protect > Applications > Application filter and then activate it in the appropriate firewall rule under Other security features > Identify and control applications (App control).

Why is Application Control not taking effect?

Often, the traffic runs through another firewall rule, the Application Filter is not active in the rule, logging is missing, or the application is not reliably recognized without TLS Inspection.

Does Application Control require TLS Inspection?

Not always. Some applications can be recognized even without full decryption. However, for modern HTTPS and cloud services, TLS Inspection may be necessary for the firewall to see enough details.

Is Application Control the same as Web Filtering?

No. Web Filtering evaluates websites, categories, and URLs. Application Control recognizes applications and protocols. In modern HTTPS environments, the topics overlap but remain different control points.

Can Application Control be used for Traffic Shaping?

Yes. Application Control can recognize applications that are then prioritized or limited. The procedure is detailed in Configuring Application Traffic Shaping on Sophos Firewall.